Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 7, 2023, 10:25 a.m.	June 7, 2023, 10:26 a.m.

Size	496.1KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`179d4849f8d096122d05de3c7bebb4bd`
SHA256	`2f6ae770a5d56ed8a2cfe262e196363b5c80e58468c66ff36cdf9c75306c2c55`
CRC32	`371EC73A`
ssdeep	`12288:W5XwIjvPgzGgQChM5u/7hIYArytfqYsgzelZ7CPZUeQ58:njhhArytfqYsgalZWPRQ58`
PDB Path	c:\Documents and Settings\Andrew\Desktop\lcms\lcms2-2.9\bin\lcms2.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsComputeInterpParams@24
3020
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsFreeInterpParams@4
1184
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsGetFormatter@16
2384
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsFloat2Half@4
612
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsHalf2Float@4
1192
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsQuantizeVal@12
1704
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsReadDevicelinkLUT@8
2556
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsReadInputLUT@8
2496
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsReadOutputLUT@8
2916
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsStageAllocIdentityCLut@8
2204
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsStageAllocIdentityCurves@8
2220
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsStageAllocLab2XYZ@4
1604
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsStageAllocLabV2ToV4@4
2684
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsStageAllocLabV4ToV2@4
2116
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsStageAllocNamedColor@8
2376
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,l_cmsStageAllocXYZ2Lab@4
2388
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcms15Fixed16toDouble
2724
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcms8Fixed8toDouble
2380
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsAdjustEndianess16
904
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsAdjustEndianess32
1884
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsAdjustEndianess64
2768
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsCalloc
2368
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsCreateMutex
2172
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsDecodeDateTimeNumber
2408
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsDefaultICCintents
3036
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsDestroyMutex
3084
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsDoTransformLineStride@36
3192
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsDoubleTo15Fixed16
3304
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsDoubleTo8Fixed8
3452
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsDupMem
3548
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsEncodeDateTimeNumber
3640
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsFree
3732
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsGetTransformFormatters16
3840
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsGetTransformFormattersFloat
3940
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsGetTransformUserData
4056
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsICCcolorSpace
3204
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsIOPrintf
3424
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsLCMScolorSpace
3576
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsLockMutex
3692
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsMAT3eval
3644
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsMAT3identity
4076
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsMAT3inverse
3296
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsMAT3isIdentity
3536
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsMAT3per
3824
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsMAT3solve
3116
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsMalloc
3528
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsMallocZero
3784
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsOpenProfileFromIOhandler2THR@12
3464
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsPipelineSetOptimizationParameters
3208
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsRead15Fixed16Number
3816
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsReadAlignment
3260
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsReadFloat32Number
4100
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsReadTypeBase
4216
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsReadUInt16Array
4628
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsReadUInt16Number
4748
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsReadUInt32Number
4844
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsReadUInt64Number
4944
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsReadUInt8Number
5096
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsReadXYZNumber
4240
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsRealloc
4668
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsSetTransformUserData
4828
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsStageAllocPlaceholder
5012
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsUnlockMutex
4260
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsVEC3cross
4832
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsVEC3distance
4472
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsVEC3dot
3044
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsVEC3init
3684
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsVEC3length
4176
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsVEC3minus
4864
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsWrite15Fixed16Number
4592
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\batteryacid.dat.dll,lcmsWriteAlignment
5188

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 70 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:25 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0
IsDebuggerPresent June 7, 2023, 10:26 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

c:\Documents and Settings\Andrew\Desktop\lcms\lcms2-2.9\bin\lcms2.pdb

One or more processes crashed (35 events)

Time & API	Arguments	Status
__exception__ June 7, 2023, 10:25 a.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x7753f559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x7753f639 RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x774edf95 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x74e814dd lmsChangeBuffersFormat+0x1529 batteryacid+0x2d059 @ 0x1002d059 lmsfilelength+0xae lcmsMalloc-0x1b2 batteryacid+0x726e @ 0x1000726e rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x7753e667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x7753e653 registers.esp: 783720 registers.edi: 65902 registers.eax: 783736 registers.ebp: 783840 registers.edx: 0 registers.ebx: 0 registers.esi: 3997696 registers.ecx: 2147483647	1
__exception__ June 7, 2023, 10:25 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: f4 83 7d f4 04 73 ef eb 83 83 c3 0d 53 eb 15 bb exception.instruction: hlt exception.exception_code: 0xc0000096 exception.symbol: l_cmsStageAllocIdentityCLut@8+0x80 lmsStageSampleCLut16bit-0x40 batteryacid+0x11440 exception.address: 0x10011440 registers.esp: 2422856 registers.edi: 0 registers.eax: 196980 registers.ebp: 2422972 registers.edx: 4 registers.ebx: 0 registers.esi: 196980 registers.ecx: 0	1
__exception__ June 7, 2023, 10:25 a.m.	stacktrace: lmsSignalError+0xeb lcmsCreateMutex-0xb5 batteryacid+0x77fb @ 0x100077fb exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.instruction: btr dword ptr [eax], 0 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 139970 exception.address: 0x774922c2 registers.esp: 1965300 registers.edi: 30903597 registers.eax: 30903601 registers.ebp: 1965320 registers.edx: 14 registers.ebx: 196984 registers.esi: 30903601 registers.ecx: 30903597	1
__exception__ June 7, 2023, 10:25 a.m.	stacktrace: lmsSignalError+0xeb lcmsCreateMutex-0xb5 batteryacid+0x77fb @ 0x100077fb exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.instruction: btr dword ptr [eax], 0 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 139970 exception.address: 0x774922c2 registers.esp: 1963820 registers.edi: 3065319730 registers.eax: 3065319734 registers.ebp: 1963840 registers.edx: 14 registers.ebx: 131440 registers.esi: 3065319734 registers.ecx: 3065319730	1
__exception__ June 7, 2023, 10:25 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: dc 8b 75 dc eb 00 8d 7d 9c a5 eb e7 8b 45 f4 0f exception.exception_code: 0xc0000005 exception.symbol: lmsStageAllocCLutFloatGranular+0x1f0 l_cmsQuantizeVal@12-0x80 batteryacid+0x113c0 exception.address: 0x100113c0 registers.esp: 719980 registers.edi: 0 registers.eax: 65916 registers.ebp: 720096 registers.edx: 4 registers.ebx: 0 registers.esi: 65916 registers.ecx: 0	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: lmsDupNamedColorList+0x7d lmsAppendNamedColor-0x23 batteryacid+0x13dad @ 0x10013dad exception.instruction_r: f3 a5 ff 24 95 54 bd 02 10 90 8b c7 ba 03 00 00 exception.instruction: movsd dword ptr es:[edi], dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: lmsChangeBuffersFormat+0x10a batteryacid+0x2bc3a exception.address: 0x1002bc3a registers.esp: 1177552 registers.edi: 37031892 registers.eax: 4100396 registers.ebp: 1177560 registers.edx: 0 registers.ebx: 262577 registers.esi: 3215360 registers.ecx: 221259	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 88 51 07 0f b6 50 01 88 51 06 0f b6 50 02 88 51 exception.instruction: mov byte ptr [ecx + 7], dl exception.exception_code: 0xc0000005 exception.symbol: lcmsAdjustEndianess64+0xb lcmsReadUInt8Number-0x35 batteryacid+0x1d4cb exception.address: 0x1001d4cb registers.esp: 2685320 registers.edi: 0 registers.eax: 14942208 registers.ebp: 2685436 registers.edx: 77 registers.ebx: 0 registers.esi: 262742 registers.ecx: 262742	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 89 0a 0f b7 46 08 50 e8 ae f9 ff ff 0f b7 c8 89 exception.instruction: mov dword ptr [edx], ecx exception.exception_code: 0xc0000005 exception.symbol: lcmsDecodeDateTimeNumber+0x16 lcmsEncodeDateTimeNumber-0x7a batteryacid+0x1dab6 exception.address: 0x1001dab6 registers.esp: 2358636 registers.edi: 0 registers.eax: 0 registers.ebp: 2358756 registers.edx: 14942208 registers.ebx: 0 registers.esi: 131702 registers.ecx: 0	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: lcmsDefaultICCintents+0x28 lmsGetSupportedIntentsTHR-0x9f8 batteryacid+0x6608 @ 0x10006608 rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 11 52 e8 b8 7d 00 00 8b c8 33 f6 89 4c 24 54 exception.instruction: mov edx, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: lmsIT8DefineDblFormat+0x9c0 lcmsDefaultICCintents-0x290 batteryacid+0x6350 exception.address: 0x10006350 registers.esp: 916736 registers.edi: 13577160 registers.eax: 13577160 registers.ebp: 916984 registers.edx: 0 registers.ebx: 14942208 registers.esi: 131706 registers.ecx: 1	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: RtlDeleteCriticalSection+0x82 RtlQueryDepthSList-0xa5 ntdll+0x34677 @ 0x774a4677 lmsSignalError+0xcc lcmsCreateMutex-0xd4 batteryacid+0x77dc @ 0x100077dc rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 30 3b 71 04 0f 85 df e2 05 00 3b f2 0f 85 d7 exception.symbol: RtlImageNtHeader+0x144a RtlDeleteCriticalSection-0x47 ntdll+0x345ae exception.instruction: mov esi, dword ptr [eax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 214446 exception.address: 0x774a45ae registers.esp: 850316 registers.edi: 14942208 registers.eax: 0 registers.ebp: 850320 registers.edx: 9460309 registers.ebx: 1 registers.esi: 9460301 registers.ecx: 83886080	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 2226416 registers.edi: 0 registers.eax: 0 registers.ebp: 2226576 registers.edx: 14942208 registers.ebx: 0 registers.esi: 66242 registers.ecx: 3777142	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: lmsChangeBuffersFormat+0x2518 batteryacid+0x2e048 @ 0x1002e048 lmsfilelength+0x153 lcmsMalloc-0x10d batteryacid+0x7313 @ 0x10007313 rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 66 0f 6f 06 66 0f 6f 4e 10 66 0f 6f 56 20 66 0f exception.exception_code: 0xc0000005 exception.symbol: lmsChangeBuffersFormat+0x245f batteryacid+0x2df8f exception.address: 0x1002df8f registers.esp: 2225908 registers.edi: 43114528 registers.eax: 43057184 registers.ebp: 2225916 registers.edx: 0 registers.ebx: 14942208 registers.esi: 14999552 registers.ecx: 39301	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x74e814dd lmsChangeBuffersFormat+0x1529 batteryacid+0x2d059 @ 0x1002d059 lmsfilelength+0xae lcmsMalloc-0x1b2 batteryacid+0x726e @ 0x1000726e rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 80 78 07 05 0f 84 a4 ff 04 00 f6 40 07 3f 0f 84 exception.symbol: RtlFreeHeap+0x3f RtlAllocateHeap-0x62 ntdll+0x2dfc4 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 188356 exception.address: 0x7749dfc4 registers.esp: 1832384 registers.edi: 0 registers.eax: 14942200 registers.ebp: 1832400 registers.edx: 4 registers.ebx: 14942208 registers.esi: 13828096 registers.ecx: 66346	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 89 10 8b 44 24 0c 85 c0 74 05 8b 49 10 89 08 c2 exception.instruction: mov dword ptr [eax], edx exception.exception_code: 0xc0000005 exception.symbol: lcmsGetTransformFormatters16+0xf lcmsGetTransformFormattersFloat-0x21 batteryacid+0x2b07f exception.address: 0x1002b07f registers.esp: 719532 registers.edi: 0 registers.eax: 14942208 registers.ebp: 719648 registers.edx: 0 registers.ebx: 0 registers.esi: 66350 registers.ecx: 66350	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 89 10 8b 44 24 0c 85 c0 74 05 8b 49 18 89 08 c2 exception.instruction: mov dword ptr [eax], edx exception.exception_code: 0xc0000005 exception.symbol: lcmsGetTransformFormattersFloat+0xf lmsCreateExtendedTransform-0x451 batteryacid+0x2b0af exception.address: 0x1002b0af registers.esp: 2619132 registers.edi: 0 registers.eax: 14942208 registers.ebp: 2619248 registers.edx: 0 registers.ebx: 0 registers.esi: 131922 registers.ecx: 131922	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xab1b01d7 registers.esp: 1307312 registers.edi: 0 registers.eax: 3 registers.ebp: 1309500 registers.edx: 2870673879 registers.ebx: 0 registers.esi: 197526 registers.ecx: 1307332	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: lmsSignalError+0xeb lcmsCreateMutex-0xb5 batteryacid+0x77fb @ 0x100077fb rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: f0 0f ba 30 00 0f 83 6e 02 01 00 64 a1 18 00 00 exception.symbol: RtlEnterCriticalSection+0x12 RtlRestoreLastWin32Error-0x2d ntdll+0x222c2 exception.instruction: btr dword ptr [eax], 0 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 139970 exception.address: 0x774922c2 registers.esp: 1440068 registers.edi: 14942208 registers.eax: 14942212 registers.ebp: 1440088 registers.edx: 14 registers.ebx: 0 registers.esi: 14942212 registers.ecx: 14942208	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: dd 1a dd 41 20 dc 48 08 dd 41 18 dc 08 de c1 dd exception.exception_code: 0xc0000005 exception.symbol: lcmsMAT3eval+0x20 lmsMLUalloc-0x40 batteryacid+0x134e0 exception.address: 0x100134e0 registers.esp: 2357004 registers.edi: 0 registers.eax: 6791854 registers.ebp: 2357120 registers.edx: 132030 registers.ebx: 0 registers.esi: 132030 registers.ecx: 14942208	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x137d @ 0xe4137d rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: dd 18 dd 41 38 dc 49 10 dd 41 08 dc 49 40 de e9 exception.exception_code: 0xc0000005 exception.symbol: lcmsMAT3inverse+0x6d lcmsMAT3solve-0x93 batteryacid+0x133cd exception.address: 0x100133cd registers.esp: 1244304 registers.edi: 0 registers.eax: 14942208 registers.ebp: 1244308 registers.edx: 4 registers.ebx: 0 registers.esi: 132098 registers.ecx: 132098	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x137d @ 0xe4137d rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: dd 18 dd 44 24 10 dd 58 08 dd 44 24 18 dd 58 10 exception.exception_code: 0xc0000005 exception.symbol: lcmsVEC3init+0x8 lcmsVEC3minus-0x18 batteryacid+0x13028 exception.address: 0x10013028 registers.esp: 588896 registers.edi: 0 registers.eax: 132134 registers.ebp: 589032 registers.edx: 14942208 registers.ebx: 0 registers.esi: 132134 registers.ecx: 6070956	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 89 48 10 8b 4c 24 10 89 50 1c 8b 54 24 0c 89 48 exception.instruction: mov dword ptr [eax + 0x10], ecx exception.exception_code: 0xc0000005 exception.symbol: lcmsPipelineSetOptimizationParameters+0xc lmsPipelineEvalReverseFloat-0xb4 batteryacid+0x123cc exception.address: 0x100123cc registers.esp: 1243260 registers.edi: 0 registers.eax: 263242 registers.ebp: 1243376 registers.edx: 0 registers.ebx: 0 registers.esi: 263242 registers.ecx: 14942208	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 654488 registers.edi: 0 registers.eax: 66670 registers.ebp: 654628 registers.edx: 4 registers.ebx: 0 registers.esi: 66670 registers.ecx: 0	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1178012 registers.edi: 0 registers.eax: 0 registers.ebp: 1178140 registers.edx: 4 registers.ebx: 0 registers.esi: 66674 registers.ecx: 0	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1833320 registers.edi: 0 registers.eax: 66678 registers.ebp: 1833456 registers.edx: 4 registers.ebx: 0 registers.esi: 66678 registers.ecx: 0	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 2620156 registers.edi: 0 registers.eax: 66744 registers.ebp: 2620308 registers.edx: 0 registers.ebx: 0 registers.esi: 66744 registers.ecx: 2620180	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1440536 registers.edi: 2597580 registers.eax: 66812 registers.ebp: 66812 registers.edx: 4 registers.ebx: 14942208 registers.esi: 0 registers.ecx: 0	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 2881556 registers.edi: 0 registers.eax: 66816 registers.ebp: 2881692 registers.edx: 4 registers.ebx: 0 registers.esi: 66816 registers.ecx: 0	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1963624 registers.edi: 0 registers.eax: 66820 registers.ebp: 1963760 registers.edx: 4 registers.ebx: 0 registers.esi: 66820 registers.ecx: 0	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1440500 registers.edi: 0 registers.eax: 66884 registers.ebp: 1440644 registers.edx: 4 registers.ebx: 0 registers.esi: 66884 registers.ecx: 0	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 652872 registers.edi: 0 registers.eax: 66952 registers.ebp: 653008 registers.edx: 4 registers.ebx: 0 registers.esi: 66952 registers.ecx: 0	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x137d @ 0xe4137d rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 2291212 registers.edi: 0 registers.eax: 66956 registers.ebp: 2291252 registers.edx: 4 registers.ebx: 0 registers.esi: 66956 registers.ecx: 0	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: lmsChangeBuffersFormat+0x1a28 batteryacid+0x2d558 @ 0x1002d558 lmsfilelength+0xc9 lcmsMalloc-0x197 batteryacid+0x7289 @ 0x10007289 rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 80 78 07 05 0f 84 ba c1 04 00 f6 40 07 3f 0f 84 exception.symbol: RtlReAllocateHeap+0x44 RtlGetIntegerAtom-0x41d ntdll+0x41fb2 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 270258 exception.address: 0x774b1fb2 registers.esp: 1112488 registers.edi: 3604480 registers.eax: 14942200 registers.ebp: 1112588 registers.edx: 14942208 registers.ebx: 14942208 registers.esi: 0 registers.ecx: 5743276	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: lmsSignalError+0x10b lcmsCreateMutex-0x95 batteryacid+0x781b @ 0x1000781b rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 83 46 08 ff 75 23 53 57 8d 7e 04 c7 46 0c 00 00 exception.symbol: RtlLeaveCriticalSection+0x9 RtlEnterCriticalSection-0x37 ntdll+0x22279 exception.instruction: add dword ptr [esi + 8], -1 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 139897 exception.address: 0x77492279 registers.esp: 916048 registers.edi: 0 registers.eax: 14942208 registers.ebp: 916052 registers.edx: 14 registers.ebx: 0 registers.esi: 14942208 registers.ecx: 14942208	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: dd 18 dd 44 24 10 dd 58 08 dd 44 24 18 dd 58 10 exception.exception_code: 0xc0000005 exception.symbol: lcmsVEC3init+0x8 lcmsVEC3minus-0x18 batteryacid+0x13028 exception.address: 0x10013028 registers.esp: 2489700 registers.edi: 0 registers.eax: 263684 registers.ebp: 2489816 registers.edx: 4 registers.ebx: 0 registers.esi: 263684 registers.ecx: 0	1
__exception__ June 7, 2023, 10:26 a.m.	stacktrace: rundll32+0x1326 @ 0xe41326 rundll32+0x1901 @ 0xe41901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 2620872 registers.edi: 67136 registers.eax: 0 registers.ebp: 2621004 registers.edx: 4 registers.ebx: 0 registers.esi: 67136 registers.ecx: 0	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 490 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 3020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10043000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 3020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 3020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 3020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 3020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 3020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74212000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 3020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10043000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74212000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10043000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74212000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10043000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74212000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10043000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74212000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10043000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74212000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10043000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74212000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 10:25 a.m.	process_identifier: 2496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10043000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001b000', u'virtual_address': u'0x0005d000', u'entropy': 7.904860604753047, u'name': u'.rsrc', u'virtual_size': u'0x0001a53f'}

entropy

7.90486060475

description

A section with a high entropy has been found

entropy

0.227848101266

description

Overall entropy of this PE file is high

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Elastic	malicious (high confidence)
CrowdStrike	win/malicious_confidence_70% (D)
Symantec	W32.Qakbot!g51
Kaspersky	HEUR:Trojan-Banker.Win32.Qbot.gen
TrendMicro	TrojanSpy.Win32.QAKBOT.YXDFGZ
McAfee-GW-Edition	BehavesLike.Win32.Trojan.gc
Sophos	Mal/Generic-S
Gridinsoft	Trojan.Win32.Qakbot.bot
McAfee	Artemis!179D4849F8D0
Rising	Trojan.Qbot!8.8A3 (CLOUD)

batteryacid.dat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All