Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 19:05:20	2025-06-13 19:36:26	1866 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,334 [root] INFO: Date set to: 20250613T10:38:13, timeout set to: 1800
2025-06-13 11:38:13,176 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-13 11:38:13,176 [root] DEBUG: Storing results at: C:\qDdlkFnGz
2025-06-13 11:38:13,176 [root] DEBUG: Pipe server name: \\.\PIPE\wXevDSJXBA
2025-06-13 11:38:13,176 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-13 11:38:13,176 [root] INFO: analysis running as an admin
2025-06-13 11:38:13,176 [root] INFO: analysis package specified: "exe"
2025-06-13 11:38:13,192 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-13 11:38:14,114 [root] DEBUG: imported analysis package "exe"
2025-06-13 11:38:14,114 [root] DEBUG: initializing analysis package "exe"...
2025-06-13 11:38:14,114 [lib.common.common] INFO: wrapping
2025-06-13 11:38:14,114 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-13 11:38:14,129 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\OutlookStatView.exe
2025-06-13 11:38:14,129 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-13 11:38:14,129 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-13 11:38:14,129 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-13 11:38:14,129 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-13 11:38:14,302 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-13 11:38:14,317 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-13 11:38:14,348 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-13 11:38:14,364 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-13 11:38:14,364 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-13 11:38:14,364 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-13 11:38:14,364 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-13 11:38:14,379 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-13 11:38:14,379 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-13 11:38:14,379 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-13 11:38:14,379 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-13 11:38:14,379 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-13 11:38:14,379 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-13 11:38:14,379 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-13 11:38:14,379 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-13 11:38:14,379 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-13 11:38:14,379 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-13 11:38:14,379 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-13 11:38:35,801 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-13 11:38:35,801 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-13 11:38:35,801 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-13 11:38:35,801 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-13 11:38:35,801 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-13 11:38:35,801 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-13 11:38:35,801 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-13 11:38:35,801 [modules.auxiliary.disguise] INFO: Disguising GUID to eebf7374-c733-4252-9a71-d3c91b91d619
2025-06-13 11:38:35,801 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-13 11:38:35,801 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-13 11:38:35,801 [root] DEBUG: attempting to configure 'Human' from data
2025-06-13 11:38:35,801 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-13 11:38:35,801 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-13 11:38:35,817 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-13 11:38:35,817 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-13 11:38:35,817 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-13 11:38:35,817 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-13 11:38:35,817 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-13 11:38:35,817 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-13 11:38:35,817 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-13 11:38:35,817 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-13 11:38:35,817 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-13 11:38:35,817 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-13 11:38:35,817 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-13 11:38:35,817 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-13 11:38:35,895 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-13 11:38:35,895 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-13 11:38:35,895 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-13 11:38:35,895 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-13 11:38:35,895 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-13 11:38:35,895 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-13 11:38:35,895 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-13 11:38:35,911 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\EeGlvdpK.dll, loader C:\tmpjeo7jmad\bin\PoaYJsgW.exe
2025-06-13 11:38:36,036 [root] DEBUG: Loader: IAT patching disabled.
2025-06-13 11:38:36,036 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\EeGlvdpK.dll.
2025-06-13 11:38:36,036 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-13 11:38:36,036 [root] INFO: Disabling sleep skipping.
2025-06-13 11:38:36,036 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-13 11:38:36,036 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-13 11:38:36,036 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-13 11:38:36,036 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-13 11:38:36,036 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-13 11:38:36,051 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-13 11:38:36,067 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-13 11:38:36,067 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-13 11:38:36,067 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822670000, thread 6236, image base 0x00007FF60D500000, stack from 0x0000008EFABF4000-0x0000008EFAC00000
2025-06-13 11:38:36,067 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-13 11:38:36,098 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-13 11:38:36,098 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-13 11:38:36,098 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\EeGlvdpK.dll.
2025-06-13 11:38:36,098 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-1 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 19:05:20	2025-06-13 19:36:07	none

File Details

File Name	OutlookStatView.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	242552 bytes
MD5	108c1a41d58ba88b4dfd358b72e03366
SHA1	95f38889bf7b073b9f641290139e6e47a0de5050
SHA256	6a87c8f19275cec2457028bbe8b74343e4a6df2be9ea61e2d32220d2f9489f43 [VT] [MWDB] [Bazaar]
SHA3-384	f3d951a321c87c1f9e5aac37e1b7b0b366776da8361880bf7e6d044a7eab2f6ecfa9b9d3a1d72ca4483957f5fe3f5b94
CRC32	9F9262CD
TLSH	T13B344A4673A048E9E8BBD675CDA38616E6B1B8554730D3CF0360CAAA5F237D1BD39312
Ssdeep	6144:Lu4ZvHt63WHOt8RFNnzx9yQ87CYmOz9ZOf3TAeInuqTM1rly:vvHQWuSvzA2nOz943TAGqTM1rly
PE	File Strings BinGraph Vba2Graph VirusTotal

__fastcall

@.data

fD9)t

SelectObject

%USERTrust RSA Certification Authority

SetMenuItemInfoW

GetMenuStringW

GetStartupInfoW

mscoree.dll

x ATAUAWH

l$LfD

WATAUH

A;@(}

Saturday

Skip the specified folders (comma-delimited list):

Sunday

D$@H;5

OutlookStatView.exe

SOFTWARE\Microsoft\Office\14.0\Outlook

L$xE3

CreateWindowExW

WritePrivateProfileStringW

__thiscall

EndDialog

SetCursor

L$HE3

R6024

ScanOptions.OnlyLastDays

Any Time Summary Report"Hours Only Summary (Without Dates)

|$ ATAUAVH

`local vftable constructor closure'

Profile Name:

comdlg32.dll

Total Messages Count

L$xH3

040904b0

WATAU

\$ff=

190909000000Z

`vector copy constructor iterator'

181102000000Z

LCMapStringW

|g~}.

jeB;Bd

e+000

LoadLibraryExW

SysDateTimePick32

new[]

T$HE3

KERNEL32.DLL

STATIC

A]A\_

\$HD;

SysListView32

A\_[

wwwwww~fww

MAPIUninitialize

- unexpected multithread lock error

9kH~aL

/deleteregkey

d$8utH

ATAVH

SetStdHandle

D9q`u

FreeEnvironmentStringsA

l$8utH

/stabular

LoadLibraryW

ShowOptionsBeforeScan

http://www.nirsoft.net/utils/outlook_statistics.html

.pdata

r:f9\$2D

GetModuleFileNameExW

`vector vbase copy constructor iterator'

l$ VWATH

wwwwww

Sectigo RSA Time Stamping CA0

Error: Cannot load the common control classes.

Copy Exception

L$ Lc

H9sPuAH

D$0Lc

/nosaveload

SetMenu

zzzyyyyxwww

DrawTextExW

D$BfD

To Time

DDDGGG

Include Subfolders

Process32Next

wwwwwwwwwwwp

GetMessageW

All Files

+t$TH

<font

PXfE9>t

LoadLibraryA

`virtual displacement map'

700PP

Total Outgoing (CC)

Total Outgoing (BCC)

UseDateRange

Properties

`local static guard'

T$Ht#A

H_^][

`local static thread guard'

R6033

mt^Ju~

UVWATAUAVAW

`h`hhh

^.o 3

|$ ATH

E9J$t

d$hE2

Scanning Messages... %d

JanFebMarAprMayJunJulAugSepOctNovDec

9\$PA

R6027

ScanOptions.UseOnlyLastDays

shell32.dll

9l$`u

u#9\$P

Save All Items

Bitness

A^A]_

Microsoft Visual C++ Runtime Library

GetPrivateProfileIntW

HTML Report - All Items

EAX=%16.16I64X EBX=%16.16I64X ECX=%16.16I64X EDX=%16.16I64X

GetCommandLineW

wwwwwwp

301231235959Z0|1

report.html

GetStringTypeW

mailto:

R6009

GetMenuItemCount

GetFileAttributesW

OutlookStatView Config File

t$ WATAU

CompareFileTime

f95g|

I0G0E

D9)tf

ImageList_ReplaceIcon

;jH}!L;

http://ocsp.usertrust.com0

D$4fA

DispatchMessageW

EIP=%16.16I64X

201023000000Z

ScanOptions.OutlookProfile

TranslatorURL

WAVAW

LoadMenuW

CreatePopupMenu

XA_A^A]A\_^][

FileDescription

HTML File - Horizontal

D$(Hc

\$@u+L9i8t%fE9opt

Total Incoming Messages Size

https://sectigo.com/CPS0C

D95(b

c:\Projects\VS2005\OutlookStatView\x64\Release\OutlookStatView.pdb

8\$Ht

</table>

ScanOptionsWinPos

BeginPaint

E&xit

InitializeCriticalSection

%0.1f

B0I;@0

<td bgcolor=#%s nowrap>%s

`eh vector vbase copy constructor iterator'

SetWindowLongW

- unable to open console device

/savelangfile

dCF677

R6018

GetFileVersionInfoSizeW

Outlook Profile:

runtime error

Width of selected column (in pixels):

hA]A\_^

Weekly Summary

Software\Microsoft\Office\15.0\Outlook\Profiles

EnumChildWindows

B(I;@(

strings

SunMonTueWedThuFriSat

GetSysColor

L$0E3

|$PMk

0A]A\_

L$8H3

Greater Manchester1

%s - %s

uDfff

Always &ANSI

For the entire mailbox

MainFont

D$@A+

GetCurrentDirectoryW

Exception !

D$DfB

TerminateProcess

Total

StretchBlt

`string'

E+NE?q

%2.2X

D$Hu$H

Total Messages Size

L$PHc

@SUVWAUAVH

`udt returning'

1#IND

delete

D$PH;5

\$8t%

uUE9H$f

t%fff

GetModuleHandleA

T$ E3

Choose config file to load

Outlook Statistics*Do you want to stop the scanning process ?0Failed to create Outlook session. Error code: %s

__based(

SetDlgItemTextW

<item>

FreePadrlist@4

WATAWH

GetModuleHandleW

GetTimeFormatW

[C]e=P

Show Options Window Before Scan

L$ E3

&Edit

Choose Colum&ns

&Show

D$ H;

%I64d

SystemTimeToFileTime

GetConsoleCP

Scan only the specified folders (comma-delimited list):

%-18s: %s

L$8I;

T$`Hc

('8PW

2009 - 2021 Nir Sofer

D$TfD9i<

D$pff

A^A]A\_^

OriginalFilename

D9r`u

d$0E3

An application has made an attempt to load the C runtime library incorrectly.

0A\_^

L$HH;

FileTimeToSystemTime

Report Type:

Time Zone:

&File

uTf!T$ H

%s - %s: %s

VWATH

CreateCompatibleBitmap

TimeReportColumns

This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.

First Software Name

x ATH

MS Sans Serif

ImageList_Add

wwwwp

EnableWindow

width="%s"

GetFileType

f;D$@upA

</compatibility></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDx!

UVWATAUAVAWH

T$ I;

GetOEMCP

CloseHandle

`RTTI

~;fff

.?AVexception@std@@

__clrcall

#Sectigo RSA Time Stamping Signer #20

3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%

CHHcx

LoadResource

GetSystemTimeAsFileTime

sQfff

&Hide

e A_A^A]A\]

New Email To Selected Contacts

Wednesday

D9vxt

February

(D$ f

</application>

Inbox, Sent Items

Go To OutlookStatView Web Page

t$8Hc

Use Default Font

RegisterWindowMessageW

SetUnhandledExceptionFilter

j0h0?

MessageBoxA

PA^A]_^]

L$pH+

.?AVtype_info@@

- floating point support not loaded

Skip Exchange public folders

D$ E3

.text

November

Version

@UATAUAVAWH

FlsGetValue

D9)t^

L$2tD

SetWindowPos

SizeUnit

GetEnvironmentStringsW

GetDlgItemTextW

L$`E3

=0;09

Scan only messages created in the following date range:

W%2.2X%2.2X%2.2X

D9{XA

{Unknown}

SVWATAUAWH

CreateStatusWindowW

%2.2X

Class Hierarchy Descriptor'

MarkOddEvenRows

A]A\_

z?aUY

GetACP

abcdefghijklmnopqrstuvwxyz

GetStartupInfoA

For every folder

L$DA+

`managed vector destructor iterator'

ATAUAVH

VERSION.dll

RegEnumKeyExW

3http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

D$0|Ifff

wwwwpw~fhw

fD9%Az

COMCTL32.dll

&Properties

D$PL;

\$df3

D99ti

AutoSizeColumnsOnLoad

NirSoft

AddExportHeaderLine

211115120437Z0?

GetSysColorBrush

2&-jWp

( 8PX

MoveWindow

LoadAcceleratorsW

SaveFileEncoding

040904E4

Last Computer Address

bad allocation

Total Outgoing Messages Size

D9)tZA

DeleteObject

t$ WH

-TLYZ5

EmptyClipboard

SetLastError

The following application error has occurred:

t%f==

T$Tf=

\$hfD3

A_A^A]

R6008

~}}SRRQ0FFFEDCB==<;:3321

%USERTrust RSA Certification Authority0

CoInitialize

R6002

@UVWAUH

GetWindowRect

D$09X

R6030

T$(t#A

<?xml version="1.0" ?>

EndPaint

ScanOptions.ScanOnlyFolders

- not enough space for _onexit/atexit table

LeaveCriticalSection

&Find

Total Size

!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

*.xml

GetModuleBaseNameW

__restrict

SetClipboardData

If you want to scan the subfolders too, add * as the last character.

L$PH3

L$PI;

GetDateFormatW

Last Software Name

SHGetSpecialFolderPathW

*.cfg

DDDDDD

</asmv3:application><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

mapi32.dll

`local vftable'

L$0D9l$8

comctl32.dll

-64OS

LcA<E3

EndDeferWindowPos

Type Descriptor'

XA_A]A\_^[

sysdatetimepick32

D9qXE

GetStringTypeA

October

@.rsrc

G75-,%

L$0t$

Hourly Summary

</table><p>

Folder

A;@H}"

@8l$&H

`vector vbase constructor iterator'

100/))(((W

Arial

LegalCopyright

TFt1b

GetSaveFileNameW

MonitorFromWindow

A3D$$A

~ 9yX~

Select &All

R6019

@A]A\_^]

- Attempt to use MSIL code from this assembly during native code initialization

D$HH;

@A_A^A]A\_^]

Program:

L$0H3

%d item(s)

WAUAV

HeapDestroy

Columns

^v96!Y

LoadStringW

l$XE3

Always &Unicode (UTF-16)

Add Header Line To CSV/Tab-Delimited File

Monthly Summary

Sectigo RSA Code Signing CA

|!E;c(}

Runtime Error!

|$XtMH

ImageList_Create

Yearly Summary

OriginalFileName

- not enough space for thread data

T$ D;

@SUVWATAUAVAW

GetConsoleOutputCP

netmsg.dll

D$(fB

SetPixel

New Jersey1

\$8I;

lstrlenW

D$p H

GetModuleFileNameA

0A^A]A\_^

ModifyMenuW

MessageBoxW

wwwwwp

320122235959Z0

D$6fD

uxE9H f

From Time

Ctrl+F

H;=$%

&Default

SetErrorMode

8D$ht

|$(f=

/scomma

t$HD+=

First Computer Address

190502000000Z

A^A]_^][

jmpfc

ScanOptions.OutlookProfileString

WinPos

`eh vector vbase constructor iterator'

ExpandEnvironmentStringsW

D951_

L$ UATAUAVAWH

Email Addresses Summary

B$A;@$

HeapFree

SaveFilterIndex

GetTickCount

Registers:

T$PE3

L$@E3

SetHandleCount

A^A]A\_^

Friday

PostMessageW

&Copy Selected Items

IsValidCodePage

tssssonll_^[[[ZOO

D$XH;

SetDlgItemInt

\$0H;

MultiByteToWideChar

D99t^

Show &Grid Lines

l$X@2

|$PfD

\$ H;

Show Time In &GMT

hA^A\

HTML R&eport - Selected Items

\$X+\$PH

SystemTimeToTzSpecificLocalTime

Ctrl+L

SHELL32.dll

tHfff

operator

%According to local computer time zone

T$8t"

eHA_A^A]A\_^[]

gfffA

TJHJFF7H

`managed vector copy constructor iterator'

x-fff

VWATAUAVH

WATAUAVAWH

HTML File - Vertical

wwwwwwwwwwwwwwwwwwww~gww

\systemroot

ShellExecuteW

20211115120437Z

p}k=tt{P

General

A_A^A]A\_

|$ E3

f!\$@A

|D0 u

ADVAPI32.dll

R6032

SetBkMode

90705

%4.4X%4.4X

TrackPopupMenu

DialogBoxParamW

FreeLibrary

IPM.Note

@SUVWH

Error

CreateToolbarEx

GetWindowTextW

FindTextW

1#INF

D$Zs'3

Shift+Plus

GetKeyState

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

Received: from

@89B8u

P?RSDSZ

CompanyName

D$Ht#A

GetCurrentThreadId

Select Another &Font

D$`f=

D99tb

EnumProcesses

((((( H

GetProcessHeap

Sleep

Error %d: %s

GetTextExtentPoint32W

@A_A^A]A\_

IcN(I

dddd, MMMM dd, yyyy

ABCDEFGHIJKLMNOPQRSTUVWXYZ

ChooseFontW

https://sectigo.com/CPS0D

E;cH}

Average Incoming Messages Size

RegOpenKeyExW

WUpKN

Terminate Application

SetBkColor

http://ocsp.sectigo.com0

%s <h3>%s</h3>

Ctrl+F2

L$"E3

PA_A^A]A\_^]

LockResource

K_"b%

l$Pf3

GetObjectW

\$8Mc

h VWAVH

D$8H;

D$(u:3

MAPI32.dll

T$&t5

%0.2f

GetNumberFormatW

Popup1

ScanOptions.SkipFoldersList

Default

x AUH

`vftable'

From:

`dynamic atexit destructor for '

OOOOOMMLLKKK???>

VJUQJGFD`\\\

R6028

__stdcall

D$\E3

D$PE3

OpfD9)t

Load C&onfiguration From File

;t$ |

t$HE3

ImageList_AddMasked

L$PH;

A_A]_

Total Outgoing Size

OpenProcess

A\_^

A_A\_

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

(null)

J*Ohk

+D$|+|$x

GetVersionExA

LoadIconW

D$Pf=

AlignNumbersToRight

Please contact the application's support team for more information.

Ctrl+A

dialog_%d

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

f9=))

- not enough space for lowio initialization

SizeofResource

T$rfA

ReleaseDC

LocalFileTimeToFileTime

wwwww

Column Settings

.?AVbad_alloc@std@@

A_A^A]A\_^]

Ctrl+C

`vbtable'

PeekMessageW

D$ Lc

D$XD+

`vector deleting destructor'

TranslateMessage

D9v|t

September

9wh~M

GetClientRect

IsDialogMessageW

\StringFileInfo\

CreateToolhelp32Snapshot

ReadFile

Domain

WideCharToMultiByte

RegQueryValueExW

@SVWH

VarFileInfo

GetLastActivePopup

1#QNAN

u6M9i

Complete Object Locator'

230909235959Z0q1

`omni callsig'

`vector constructor iterator'

+L$DD+L$@

GetFileVersionInfoW

l$ VWATAUAVH

ReadProcessMemory

Continue

CreateFileW

MZu_Hc

GlobalAlloc

Quarterly report

&Bytes

Align Numeric Columns To Right

Jersey City1

%s KB

`eh vector copy constructor iterator'

L$PE3

HH:mm:ss

D;|$`|

@8t$Ht

FormatMessageW

InitializeCriticalSectionAndSpinCount

t$8wC

CoUninitialize

color="#%s"

Module32First

A_A^A]A\_

D$@fD

SOFTWARE\Microsoft\Office\15.0\Outlook

D9{<t7D9{@D

Move &Up

DeleteCriticalSection

- unexpected heap error

A^A]A\

RaiseException

GetWindowLongW

Scan only messages created in the last

\$ WH

RtlCaptureContext

A]A\]

PA^A]A\

&'))$#

gfffffffH

GetFileSize

GetCursorPos

GetWindow

ScanOptions.SubReportType

3http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

%s (%s)

GetDeviceCaps

D9vXA

lstrcpyW

DestroyMenu

WriteConsoleA

HeapReAlloc

380118235959Z0}1

GetStdHandle

L$ VWATAUH

EnumResourceNamesW

<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s

WriteFile

1#SNAN

Folder Name

d$@E+

This indicates a bug in your application.

, %d Selected

DestroyWindow

8T$Xf

If this problem persists, copy the above exception information to the clipboard, and send it to the author of this software.

D$0H;

InsertMenuItemW

Check the columns that you would like to make visible. Use the Move Up and Move Down buttons to reorder the columns

D;oh}

Sectigo RSA Time Stamping CA

e)5*-

71351171

March

9l$du

SetWindowTextW

Sectigo RSA Code Signing CA0

- unable to initialize heap

Comma Delimited Text File

d$ AUAVAWH

L9j8t

DeleteDC

CorExitProcess

Tuesday

Hc^hE

fE9>t%L

x-mailer:

- not enough space for locale information

EnableMenuItem

LoadCursorW

WWK7P

Thursday

RtlLookupFunctionEntry

t0<Ar

ScanOptions.TimeZone

QueryPerformanceCounter

OutlookStatView

December

`scalar deleting destructor'

t$0E3

GetCommandLineA

\$ VH

D$8H!\$0H!\$(H!\$ 3

\$ UVWATAUAVAWH

StringFileInfo

%8.8x

wwwwwwwwwwwwwwwwwwwwwwww

fD95cZ

ole32.dll

GetCPInfo

`copy constructor closure'

B A;@ w

$1QQQQQPUatlmc

u0IcY

GetOpenFileNameW

_lng.ini

Unknown Error

t8fff

D$XE3

L$ SH

t)fff

GlobalUnlock

ImageList_SetImageCount

x ATAUAVH

</item>

<$csm

fD!|$0H

L$PMc

xpxxxx

SUVWATAUAVAWH

size="%d"

`eh vector constructor iterator'

DecodePointer

GetDlgCtrlID

InitCommonControlsEx

ShowGridLines

`h````

BeginDeferWindowPos

@A\_^

x_^][

T$@E3

`placement delete[] closure'

L$`H3

nowrap

</asmv3:windowsSettings>

wwww`

L$XH;

h0f0?

UpdateWindow

CONOUT$

GetUserObjectInformationA

VUUUA+

/stext

- not enough space for environment

D9aHH

Exception %8.8X at address %16.16I64X in module %s

Salford1

\$xyFA

@SWATH

TLOSS error

GetModuleInformation

TranslateAcceleratorW

IsDebuggerPresent

D$Xt&A

USER32.DLL

RtlVirtualUnwind

D$PfD

Move &Down

April

GetModuleFileNameW

Use the default Outlook profile

D$(u$H

fD957R

D95gb

__unaligned

/sverhtml

<?xml version="1.0" encoding="ISO-8859-1" ?>

PropertiesPos

Base Class Descriptor at (

fD95-W

%s MB

Monday

L$@H;

%0.0f

.mixcrt

?\uGf

/stab

DOMAIN error

KERNEL32.dll

9D$H~;A

Use the following profile:

f;D$@

T$XA;

80tWE

GetSubMenu

\hksdofb

R6016

UnhandledExceptionFilter

HeapCreate

FindResourceW

GetWindowsDirectoryW

DefWindowProcW

support@nirsoft.net0

CPLc,(H

,\$(@

GetVersionExW

S&ave Configuration To File

Select Outlook Folders

GetProcessWindowStation

VS_VERSION_INFO

Software\Microsoft\Office\16.0\Outlook\Profiles

#Sectigo RSA Time Stamping Signer #2

toMcD$

D$8t#A

First Message On

PostQuitMessage

MAPILogonEx

GetPixel

Nir Sofer0

__pascal

SendMessageW

Process32First

R6034

RemoveMenu

|$HHc

Text File

Alt+Enter

Auto Size Columns+Headers

?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v

A_A^A]A\_^][

OpenClipboard

RtlUnwindEx

9t$ ~

|$Hux

D$@H;5.

D$2fD

/shtml

GetActiveWindow

Sectigo Limited1%0#

D$@H;5>J

CreateFileA

&Stop

SetFocus

DeferWindowPos

R6017

GetProcAddress

Total Outgoing (To)

ProductName

GetClassNameW

CreateCompatibleDC

fE9>t(L

9Yxt 9YX~

Stack Data: %s

ShowInfoTip

InsertMenuW

@SUVH

Ctrl+Plus

u@M9h

ExitProcess

Tabular Text File

GetParent

P888DD

Copy As Emails List

*.csv

GetMenuItemInfoW

R6025

wxwwN

ESI=%16.16I64X EDI=%16.16I64X EBP=%16.16I64X ESP=%16.16I64X

D$Ht%

0A^A]A\

]IMrV

EnumResourceTypesW

- pure virtual function call

@A_A]A\

FileVersion

&View

HeapSize

menu_%d

t3<Ar

u"8D$Xt

L9-]<

&Auto Size Columns

You're currently using the x64 version of OutlookStatView, while your Outlook is 32-bit. You must use the 32-bit version of OutlookStatView in order to connect Outlook properly.

GetConsoleMode

RtlPcToFileHeader

t$ E3

CreateDialogParamW

E9J t

<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">

(D$0f

D;cH|

D$PHc

A_A^_

TimeReportSort

SetFilePointer

l$4A+

Average Outgoing Messages Size

FileTimeToLocalFileTime

&HTML Report - All Items

A]_^]

RegisterClassW

A^A]A\

Unknown exception

|$Xt7H

`dynamic initializer for '

CheckMenuItem

WAUAWH

+D$TD!

f!D$@f!D$0H

Mark Odd/Even Rows

__ptr64

<td bgcolor=#%s>%s

You can specify only the folder name, like Inbox or Sent Items, or a full path, like Personal Folders\Inbox , Personal Folders\Inbox*

Mailbox Scan Options

|$XHc

Show &Tooltips

VerQueryValueW

@UATAUH

9D$H~AA

~}}}|||spppzO

GlobalLock

DeleteFileW

Daily Summary

D95ZZ

GetPrivateProfileStringW

d$ AUH

GDI32.dll

[q+#ang]&;}

EnumProcessModules

ScanOptions.ScanFoldersList

wwwwwwwwwwwwwwN

InvalidateRect

GetStockObject

HeapAlloc

f9l$8D

L$ fE

|$XtK

FlsFree

Ctrl+S

HcM H

2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s

L$pH3

FreeEnvironmentStringsW

Dakar 21, Unit 821

Nir Sofer1

L$8t#A

InternalName

Save File Encoding

Size Unit

fD9%Ut

t2HcD$HH

&Options

%%-%d.%ds

August

`vector destructor iterator'

MM/dd/yy

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging SubSystem\Profiles

(t$PI

GetDC

SetTextColor

ScanOptions.SkipPublicFolders

A_A^A]A\_^]H

kernel32.dll

<body>

FlsAlloc

BzK:]

D;GH|

VWVRJH7

UVWATAUH

D9d$D

GetTempPathW

general

Auto Size Columns On Load

L$(H3

\$0E3

This application has requested the Runtime to terminate it in an unusual way.

GetCurrentProcessId

`default constructor closure'

R6026

Incoming Messages Count

`vbase destructor'

L$DD+D$H

Base Class Array'

D$@L;

8*u=A

`placement delete closure'

LCMapStringA

MapWindowPoints

d$\+l$@D+d$T+\$D

Full Path

WriteConsoleW

GetSystemMetrics

<0:08

%2.2d-%2.2d-%4.4d %2.2d:%2.2d:%2.2d

`vcall'

A^A]_^[

t$ WATAUH

D+D$P

&Refresh

TzSpecificLocalTimeToSystemTime

&About

R6031

- not enough space for arguments

GetDlgItem

CloseClipboard

MS Shell Dlg

HcH<H

D9!tZ

T$DfE

ScanOptions.ReportType

ShowTimeInGMT

&Save Selected Items

tvfff

Sectigo Limited1$0"

EncodePointer

!This program cannot be run in DOS mode.

oZ%pb

ScanOptions.SkipFolders

u@D9{<t:D9{@D

SING error

T$Dr&ff

GetLocaleInfoW

wwwwwwww

charset

l$Xu~

K?:W8

bgcolor="%s"

\VarFileInfo\Translation

ChildWindowFromPoint

commdlg_FindReplace

`eh vector destructor iterator'

USER32.dll

January

&Help

<th%s>%s%s%s

- Attempt to initialize the CRT more than once.

Code Data: %s

CreateFontIndirectW

HeapSetInformation

@SVWAUAVH

EnterCriticalSection

zc%C1

\$ E3

</%s>

L!~XD!~hD!~`H

LoadImageW

T$XH;

D$8A9}

Sort By

GetDlgItemInt

`typeof'

Created by using

pgggfbbYYX

SendDlgItemMessageW

- not enough space for stdio initialization

700WP

GetCurrentProcess

L$HD+

\$8L3

MAPIInitialize

wwwwwwwwwww(

Translation:

GetMenu

<%s>%s</%s>

SHGetFileInfoW

__cdecl

Always UTF-&8

Allow me to choose the profile

Total Incoming

LocalFree

u'A9_

Module32Next

|$`@2

Translation

Choose config file to save

A_A^A]A\_^]

D9)t_

\$PM93H

FlsSetValue

L$0A+

DateFrom

caption

TlsFree

D9GHH

delete[]

SetStretchBltMode

ProductVersion

L$0H;

:"u*A

GetTempFileNameW

|$0fD

FlushFileBuffers

g0e0>

D$8u

`managed vector constructor iterator'

GetLocaleInfoA

</body></html>

HTML Report - Selected Items

Display Name

rRj;B7|

ShowWindow

D$2fA

The USERTRUST Network1.0,

You're currently using the 32-bit version of OutlookStatView, while your Outlook is 64-bit. You must use the x64 version of OutlookStatView in order to connect Outlook properly.

h(((( H

(|$@L

@A]A\_

D$0E3

Last Message On

Cancel

psapi.dll

CheckMenuRadioItem

D95W]

Deselect All

Shift+Ctrl+S

L$0I;

|L.*uIf

|$8ff

TranslatorName

Total Incoming Size

|$HLc

- CRT not initialized

/sxml

u fff

D9^h}

XML File

GetLocalTime

T$0I;

|$0E3

*.htm;*.html

GetMonitorInfoW

UVWAUAVH

SOFTWARE\Microsoft\Office\16.0\Outlook

GetWindowPlacement

t$ WATAUAVAWH

*.txt

GetLastError

@USVWATAUAVAWH

\$@H;

Sectigo Limited1,0*

Select a filename to save

D9)taA

GetEnvironmentStrings

p WATAUAVAWH

t;f9/H

AUAVAWH

9D$H~>A

Tab Delimited Text File

xppwpp

Total Outgoing (All)

DateTo

DrawFrameControl

|$,t

A_A^A]A\]

@8l$H

Outgoing Messages Count

</font>

`.rdata

2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#

#jYhRB_

D$@H;

l$ WH

RegCloseKey

L$hLc

Ctrl+D

9YX~2

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x140000000	0x00019490	0x0004a7bd	0x0004a7bd	4.0	c:\Projects\VS2005\OutlookStatView\x64\Release\OutlookStatView.pdb	2021-11-15 12:02:52	a0262c52d28a4fbbd52e77c4dc5a2531		06ad48b4a3bf82a60dc1fd26b9713db1	45a70ea68fe6374b15f92d0434a563b7	fe9e9e9c9ecce6ca

Version Infos

CompanyName	NirSoft
FileDescription	OutlookStatView
FileVersion	2.26
InternalName	OutlookStatView
LegalCopyright	Copyright Â© 2009 - 2021 Nir Sofer
OriginalFilename	OutlookStatView.exe
ProductName	OutlookStatView
ProductVersion	2.26
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0002779f	0x00027800	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.35
.rdata	0x00027c00	0x00029000	0x000082f6	0x00008400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.09
.data	0x00030000	0x00032000	0x00005898	0x00002200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.81
.pdata	0x00032200	0x00038000	0x00001cf8	0x00001e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.24
.rsrc	0x00034000	0x0003a000	0x0000515c	0x00005200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.62

Overlay

Offset	0x00039200
Size	0x00002178

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_CURSOR	0x0003a838	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.78	None
RT_BITMAP	0x0003a96c	0x000003e8	LANG_HEBREW	SUBLANG_DEFAULT	3.98	None
RT_BITMAP	0x0003ad54	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.41	None
RT_BITMAP	0x0003ae2c	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.45	None
RT_ICON	0x0003af04	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	4.99	None
RT_ICON	0x0003b46c	0x000008a8	LANG_HEBREW	SUBLANG_DEFAULT	6.32	None
RT_ICON	0x0003bd14	0x00000128	LANG_HEBREW	SUBLANG_DEFAULT	2.40	None
RT_ICON	0x0003be3c	0x00000128	LANG_HEBREW	SUBLANG_DEFAULT	2.30	None
RT_MENU	0x0003bf64	0x000007c0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.46	None
RT_MENU	0x0003c724	0x000001c4	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.19	None
RT_MENU	0x0003c8e8	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.17	None
RT_DIALOG	0x0003c8fc	0x000000bc	LANG_HEBREW	SUBLANG_DEFAULT	2.87	None
RT_DIALOG	0x0003c9b8	0x00000296	LANG_HEBREW	SUBLANG_DEFAULT	3.38	None
RT_DIALOG	0x0003cc50	0x000008a8	LANG_HEBREW	SUBLANG_DEFAULT	3.52	None
RT_DIALOG	0x0003d4f8	0x00000138	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.26	None
RT_DIALOG	0x0003d630	0x000000fa	LANG_HEBREW	SUBLANG_DEFAULT	3.09	None
RT_DIALOG	0x0003d72c	0x00000336	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.55	None
RT_STRING	0x0003da64	0x000004a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.33	None
RT_STRING	0x0003df0c	0x00000062	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.41	None
RT_STRING	0x0003df70	0x00000070	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.52	None
RT_STRING	0x0003dfe0	0x000000ce	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	None
RT_STRING	0x0003e0b0	0x00000118	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.04	None
RT_STRING	0x0003e1c8	0x00000068	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.47	None
RT_STRING	0x0003e230	0x00000034	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.41	None
RT_STRING	0x0003e264	0x0000004e	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.05	None
RT_STRING	0x0003e2b4	0x0000013e	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.10	None
RT_STRING	0x0003e3f4	0x0000006c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.42	None
RT_STRING	0x0003e460	0x000000fa	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.06	None
RT_STRING	0x0003e55c	0x00000218	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.24	None
RT_STRING	0x0003e774	0x00000048	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.07	None
RT_STRING	0x0003e7bc	0x000001a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.19	None
RT_ACCELERATOR	0x0003e964	0x00000068	LANG_HEBREW	SUBLANG_DEFAULT	3.04	None
RT_GROUP_CURSOR	0x0003e9cc	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.84	None
RT_GROUP_ICON	0x0003e9e0	0x00000022	LANG_HEBREW	SUBLANG_DEFAULT	2.42	None
RT_GROUP_ICON	0x0003ea04	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	1.92	None
RT_GROUP_ICON	0x0003ea18	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.02	None
RT_VERSION	0x0003ea2c	0x000002e8	LANG_HEBREW	SUBLANG_DEFAULT	3.38	None
RT_MANIFEST	0x0003ed14	0x00000447	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.40	None

Imports

Name	Address
ImageList_Add	0x140029028
CreateStatusWindowW	0x140029030
CreateToolbarEx	0x140029038
ImageList_SetImageCount	0x140029040
ImageList_AddMasked	0x140029048
ImageList_Create	0x140029050
ImageList_ReplaceIcon	0x140029060

Name	Address
VerQueryValueW	0x1400297d8
GetFileVersionInfoSizeW	0x1400297e0
GetFileVersionInfoW	0x1400297e8

Name	Address

Name	Address
LocalFree	0x140029100
lstrlenW	0x140029108
GetNumberFormatW	0x140029110
LockResource	0x140029118
lstrcpyW	0x140029120
WideCharToMultiByte	0x140029128
GetCommandLineW	0x140029130
GlobalUnlock	0x140029138
LocalFileTimeToFileTime	0x140029140
GetTempPathW	0x140029148
GetLocaleInfoW	0x140029150
GetDateFormatW	0x140029158
GetTempFileNameW	0x140029160
GlobalLock	0x140029168
SizeofResource	0x140029170
GetLastError	0x140029178
GetFileSize	0x140029180
FormatMessageW	0x140029188
GetVersionExW	0x140029190
GetPrivateProfileStringW	0x140029198
WritePrivateProfileStringW	0x1400291a0
GetPrivateProfileIntW	0x1400291a8
EnumResourceNamesW	0x1400291b0
GetStdHandle	0x1400291b8
SetErrorMode	0x1400291c0
DeleteFileW	0x1400291c8
GetCurrentDirectoryW	0x1400291d0
ExpandEnvironmentStringsW	0x1400291d8
ExitProcess	0x1400291e0
GetCurrentProcessId	0x1400291e8
GetCurrentProcess	0x1400291f0
ReadProcessMemory	0x1400291f8
RaiseException	0x140029200
GetSystemTimeAsFileTime	0x140029208
TerminateProcess	0x140029210
OpenProcess	0x140029218
EnumResourceTypesW	0x140029220
WriteConsoleA	0x140029228
SetStdHandle	0x140029230
RtlLookupFunctionEntry	0x140029238
RtlVirtualUnwind	0x140029240
LoadLibraryExW	0x140029248
GetStringTypeW	0x140029250
GetStringTypeA	0x140029258
InitializeCriticalSection	0x140029260
LoadLibraryA	0x140029268
HeapReAlloc	0x140029270
LeaveCriticalSection	0x140029278
EnterCriticalSection	0x140029280
GetConsoleMode	0x140029288
GetConsoleCP	0x140029290
GetTickCount	0x140029298
QueryPerformanceCounter	0x1400292a0
DeleteCriticalSection	0x1400292a8
GetStartupInfoA	0x1400292b0
GetFileType	0x1400292b8
SetHandleCount	0x1400292c0
GetCommandLineA	0x1400292c8
GetEnvironmentStringsW	0x1400292d0
FreeEnvironmentStringsW	0x1400292d8
GetEnvironmentStrings	0x1400292e0
FreeEnvironmentStringsA	0x1400292e8
LCMapStringW	0x1400292f0
LCMapStringA	0x1400292f8
GetModuleFileNameA	0x140029300
HeapDestroy	0x140029308
HeapCreate	0x140029310
HeapSetInformation	0x140029318
RtlPcToFileHeader	0x140029320
IsValidCodePage	0x140029328
GetOEMCP	0x140029330
GetACP	0x140029338
GetCPInfo	0x140029340
RtlUnwindEx	0x140029348
HeapSize	0x140029350
Sleep	0x140029358
FlsAlloc	0x140029360
GetCurrentThreadId	0x140029368
SetLastError	0x140029370
FlsFree	0x140029378
TlsFree	0x140029380
FlsSetValue	0x140029388
FlsGetValue	0x140029390
GetModuleHandleA	0x140029398
RtlCaptureContext	0x1400293a0
IsDebuggerPresent	0x1400293a8
SetUnhandledExceptionFilter	0x1400293b0
UnhandledExceptionFilter	0x1400293b8
GetStartupInfoW	0x1400293c0
GetProcessHeap	0x1400293c8
GetVersionExA	0x1400293d0
HeapAlloc	0x1400293d8
HeapFree	0x1400293e0
MultiByteToWideChar	0x1400293e8
GlobalAlloc	0x1400293f0
SystemTimeToTzSpecificLocalTime	0x1400293f8
FileTimeToLocalFileTime	0x140029400
LoadResource	0x140029408
GetWindowsDirectoryW	0x140029410
CreateFileW	0x140029418
FindResourceW	0x140029420
CloseHandle	0x140029428
TzSpecificLocalTimeToSystemTime	0x140029430
GetModuleFileNameW	0x140029438
ReadFile	0x140029440
WriteFile	0x140029448
GetFileAttributesW	0x140029450
GetTimeFormatW	0x140029458
SetFilePointer	0x140029460
GetProcAddress	0x140029468
LoadLibraryW	0x140029470
GetModuleHandleW	0x140029478
FreeLibrary	0x140029480
CompareFileTime	0x140029488
GetLocalTime	0x140029490
SystemTimeToFileTime	0x140029498
FileTimeToSystemTime	0x1400294a0
GetConsoleOutputCP	0x1400294a8
WriteConsoleW	0x1400294b0
CreateFileA	0x1400294b8
FlushFileBuffers	0x1400294c0
GetLocaleInfoA	0x1400294c8

Name	Address
RemoveMenu	0x140029508
InsertMenuW	0x140029510
DrawTextExW	0x140029518
IsDialogMessageW	0x140029520
SetMenuItemInfoW	0x140029528
CreatePopupMenu	0x140029530
GetKeyState	0x140029538
GetDlgCtrlID	0x140029540
GetMenuItemInfoW	0x140029548
RegisterWindowMessageW	0x140029550
TrackPopupMenu	0x140029558
PostQuitMessage	0x140029560
GetDC	0x140029568
ReleaseDC	0x140029570
SetCursor	0x140029578
ModifyMenuW	0x140029580
LoadMenuW	0x140029588
GetWindowTextW	0x140029590
DestroyWindow	0x140029598
LoadStringW	0x1400295a0
EnumChildWindows	0x1400295a8
DialogBoxParamW	0x1400295b0
DestroyMenu	0x1400295b8
GetMenuItemCount	0x1400295c0
CheckMenuItem	0x1400295c8
GetMessageW	0x1400295d0
MonitorFromWindow	0x1400295d8
GetMonitorInfoW	0x1400295e0
LoadCursorW	0x1400295e8
GetSysColorBrush	0x1400295f0
ShowWindow	0x1400295f8
ChildWindowFromPoint	0x140029600
CreateWindowExW	0x140029608
InsertMenuItemW	0x140029610
OpenClipboard	0x140029618
MoveWindow	0x140029620
GetClassNameW	0x140029628
GetSubMenu	0x140029630
EnableMenuItem	0x140029638
EmptyClipboard	0x140029640
GetMenu	0x140029648
GetParent	0x140029650
CloseClipboard	0x140029658
MapWindowPoints	0x140029660
EnableWindow	0x140029668
SetClipboardData	0x140029670
GetCursorPos	0x140029678
GetMenuStringW	0x140029680
CheckMenuRadioItem	0x140029688
BeginDeferWindowPos	0x140029690
EndDeferWindowPos	0x140029698
SetFocus	0x1400296a0
GetWindowLongW	0x1400296a8
SetWindowLongW	0x1400296b0
GetSysColor	0x1400296b8
TranslateMessage	0x1400296c0
LoadIconW	0x1400296c8
DispatchMessageW	0x1400296d0
PeekMessageW	0x1400296d8
LoadImageW	0x1400296e0
LoadAcceleratorsW	0x1400296e8
SetMenu	0x1400296f0
TranslateAcceleratorW	0x1400296f8
MessageBoxW	0x140029700
RegisterClassW	0x140029708
SendMessageW	0x140029710
PostMessageW	0x140029718
DefWindowProcW	0x140029720
DeferWindowPos	0x140029728
GetClientRect	0x140029730
GetSystemMetrics	0x140029738
BeginPaint	0x140029740
GetDlgItemTextW	0x140029748
SetDlgItemTextW	0x140029750
SetDlgItemInt	0x140029758
UpdateWindow	0x140029760
GetWindowPlacement	0x140029768
SetWindowTextW	0x140029770
DrawFrameControl	0x140029778
EndPaint	0x140029780
GetWindow	0x140029788
InvalidateRect	0x140029790
GetDlgItemInt	0x140029798
GetDlgItem	0x1400297a0
GetWindowRect	0x1400297a8
EndDialog	0x1400297b0
SendDlgItemMessageW	0x1400297b8
SetWindowPos	0x1400297c0
CreateDialogParamW	0x1400297c8

Name	Address
SetStretchBltMode	0x140029070
CreateCompatibleBitmap	0x140029078
SetBkColor	0x140029080
GetTextExtentPoint32W	0x140029088
GetStockObject	0x140029090
SetPixel	0x140029098
SelectObject	0x1400290a0
CreateCompatibleDC	0x1400290a8
GetObjectW	0x1400290b0
GetPixel	0x1400290b8
DeleteDC	0x1400290c0
SetTextColor	0x1400290c8
CreateFontIndirectW	0x1400290d0
GetDeviceCaps	0x1400290d8
SetBkMode	0x1400290e0
StretchBlt	0x1400290e8
DeleteObject	0x1400290f0

Name	Address
ChooseFontW	0x1400297f8
FindTextW	0x140029800
GetSaveFileNameW	0x140029808
GetOpenFileNameW	0x140029810

Name	Address
RegQueryValueExW	0x140029000
RegOpenKeyExW	0x140029008
RegEnumKeyExW	0x140029010
RegCloseKey	0x140029018

Name	Address
SHGetFileInfoW	0x1400294f0
ShellExecuteW	0x1400294f8

Name	Address
CoInitialize	0x140029820
CoUninitialize	0x140029828

Reports: JSON

Statistics (33.86)

Usage

Processing ( 33.77 seconds )

33.152 ProcessMemory
0.5 CAPE
0.109 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.07 seconds )

0.009 antiav_detectreg
0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.004 infostealer_ftp
0.004 territorial_disputes_sigs
0.003 antiav_detectfile
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 infostealer_mail
0.002 poullight_files
0.001 antidebug_devices
0.001 antivm_parallels_keys
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior
0.001 recon_fingerprint

Reporting ( 0.03 seconds )

0.022 CAPASummary
0.004 JsonDump

Signatures

Queries the keyboard layout

The PE file contains a PDB path

pdbpath: c:\Projects\VS2005\OutlookStatView\x64\Release\OutlookStatView.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 1020 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Harvests information related to installed mail clients

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Messaging Subsystem\MSMapiApps

regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging SubSystem\Profiles

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\NoMailClient

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\(Default)

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\DLLPathEx

regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\PreFirstRun

regkey: HKEY_CURRENT_USER\Software\Clients\Mail

regkey: HKEY_LOCAL_MACHINE\Software\Clients\Mail

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

\Device\CNG
C:\Users\Packager\AppData\Local\SystemResources\OutlookStatView.exe.mun
C:\Users\Packager\AppData\Local\Temp\OutlookStatView_lng.ini
C:\Windows\Fonts\staticcache.dat
C:\Users\Packager\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Users\Packager\AppData\Local\Temp\OutlookStatView.cfg
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\OutlookStatView.exe.Local\
C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9
C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9\COMCTL32.dll.mui
C:\Users\Packager\AppData\Local\Temp\mapisvc.inf
C:\Windows\System32\mapisvc.inf
C:\Windows\System\mapisvc.inf
C:\Windows\mapisvc.inf
C:\Windows\System32\wbem\mapisvc.inf
C:\Windows\System32\WindowsPowerShell\v1.0\mapisvc.inf
C:\Windows\System32\OpenSSH\mapisvc.inf
C:\Users\Packager\AppData\Local\Programs\Python\Python310-32\Scripts\mapisvc.inf
C:\Users\Packager\AppData\Local\Programs\Python\Python310-32\mapisvc.inf
C:\Users\Packager\AppData\Local\Microsoft\WindowsApps\mapisvc.inf
C:\Windows\System32\en-US\MAPI32.dll.mui

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\OutlookStatView.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Arial
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging SubSystem\Profiles
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles
HKEY_CURRENT_USER\Software\Clients\Mail
HKEY_LOCAL_MACHINE\Software\Clients\Mail
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\(Default)
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\OutlookStatView.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B94B62A2-4012-4B7E-A395-F21CC665FD12}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6CB10ED7-4BCA-5561-B2E1-40E1197C1B0C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Messaging Subsystem\MSMapiApps
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\DLLPathEx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\PreFirstRun
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\NoMailClient
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Outlook
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\Outlook
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Outlook
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\CCSelect\.current
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\CCSelect\.Current\(Default)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.ApplicationExtension\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{b94b62a2-4012-4b7e-a395-f21cc665fd12}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6cb10ed7-4bca-5561-b2e1-40e1197c1b0c}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\DLLPathEx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\PreFirstRun
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\NoMailClient
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\CCSelect\.Current\(Default)

ntdll.dll.RtlWow64GetCurrentMachine
ntdll.dll.RtlWow64IsWowGuestMachineSupported

Local\SM0:1020:304:WilStaging_02
Local\SM0:1020:120:WilError_03
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.