Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 6, 2023, 6:18 p.m.	Oct. 6, 2023, 6:20 p.m.

Size	15.7MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`3141032e3b1e4f3ee0d0a1fe68ccc6e8`
SHA256	`70af1a1c350554270883747e70ff85910cb2cc2c02d3ec133b4457100a05694d`
CRC32	`8EA79C29`
ssdeep	`393216:g8EDE090yXtcYODN8EDE090yXtcYODCef/GyF3ibKL4BCXtU/PS:gjg09jtcYyjg09jtcYyxFSbi4StU6`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description)

zinda.exe "C:\Users\test22\AppData\Local\Temp\zinda.exe"
2068
- toolspub2.exe "C:\Users\test22\AppData\Local\Temp\toolspub2.exe"
  2152
  - toolspub2.exe "C:\Users\test22\AppData\Local\Temp\toolspub2.exe"
    2648
- e0cbefcb1af40c7d4aff4aca26621a98.exe "C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
  2204
- kos1.exe "C:\Users\test22\AppData\Local\Temp\kos1.exe"
  2248
  - set16.exe "C:\Users\test22\AppData\Local\Temp\set16.exe"
    2364
    - is-KOTGS.tmp "C:\Users\test22\AppData\Local\Temp\is-F79MR.tmp\is-KOTGS.tmp" /SL4 $10164 "C:\Users\test22\AppData\Local\Temp\set16.exe" 1232936 52224
      2560
      - previewer.exe "C:\Program Files (x86)\PA Previewer\previewer.exe" -i
        2748
      - net.exe "C:\Windows\system32\net.exe" helpmsg 8
        2688
        
        net1.exe C:\Windows\system32\net1 helpmsg 8
        2852
      - previewer.exe "C:\Program Files (x86)\PA Previewer\previewer.exe" -s
        2240
  - kos.exe "C:\Users\test22\AppData\Local\Temp\kos.exe"
    2500
- latestX.exe "C:\Users\test22\AppData\Local\Temp\latestX.exe"
  2300
- 31839b57a4f11171d6abc8bbc4451ee4.exe "C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2420

Name	Response	Post-Analysis Lookup
xmr-eu1.nanopool.org	A 51.15.58.224 A 51.255.34.118 A 51.68.143.81 A 212.47.253.124 A 163.172.154.142 A 51.15.65.182 A 135.125.238.108 A 51.15.193.130 A 51.68.190.80	51.68.190.80
iplogger.com	A 148.251.234.93	148.251.234.93
pastebin.com	A 172.67.34.170 A 104.20.67.143 A 104.20.68.143	104.20.68.143

IP Address	Status	Action
148.251.234.93	Active	Moloch
163.172.154.142	Active	Moloch
164.124.101.2	Active	Moloch
172.67.34.170	Active	Moloch
51.15.65.182	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 148.251.234.93:443 -> 192.168.56.103:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 148.251.234.93:443 -> 192.168.56.103:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49184	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49187 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49185 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49182 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49184 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49184 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49186	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49186 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49186 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49183 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49194	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49177 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49194 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49188 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49195	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49195 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49199	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49199 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49199 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49178 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49181 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49191	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49191 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49196	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49196 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49196 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49198	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49198 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49198 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 148.251.234.93:443 -> 192.168.56.103:49197	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49197 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49197 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 172.67.34.170:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49193	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49193 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49193 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49220 -> 148.251.234.93:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49220 -> 148.251.234.93:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49189 51.15.65.182:14433	None	None	None
TLS 1.3 192.168.56.103:49190 172.67.34.170:443	None	None	None
TLS 1.3 192.168.56.103:49192 163.172.154.142:14433	None	None	None

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Oct. 6, 2023, 6:18 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (8 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 6, 2023, 6:18 p.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 6:18 p.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 6:18 p.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 6:18 p.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 6:18 p.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 6:18 p.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 6:18 p.m.			0	0
IsDebuggerPresent Oct. 6, 2023, 6:18 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 6, 2023, 6:18 p.m.	buffer: Not enough storage is available to process this command. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 6, 2023, 6:18 p.m.		1	1	0

One or more processes crashed (50 out of 131073 events)

Time & API	Arguments	Status
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: is-kotgs+0x3d65a @ 0x43d65a is-kotgs+0x3ca6b @ 0x43ca6b is-kotgs+0x884b0 @ 0x4884b0 is-kotgs+0x75f02 @ 0x475f02 is-kotgs+0x8c071 @ 0x48c071 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: f7 37 89 06 e9 dd 07 00 00 8b 06 33 d2 8a 17 8b exception.symbol: is-kotgs+0x3a94f exception.instruction: div dword ptr [edi] exception.module: is-KOTGS.tmp exception.exception_code: 0xc0000094 exception.offset: 239951 exception.address: 0x43a94f registers.esp: 1637788 registers.edi: 32788660 registers.eax: 5698 registers.ebp: 1637868 registers.edx: 0 registers.ebx: 1 registers.esi: 32788644 registers.ecx: 32788660	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971253248 registers.ebp: 1637800 registers.edx: 7601 registers.ebx: 2130567168 registers.esi: 1971253248 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971249152 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971249152 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971245056 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971245056 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971240960 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971240960 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971236864 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971236864 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971232768 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971232768 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971228672 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971228672 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971224576 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971224576 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971220480 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971220480 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971216384 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971216384 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971212288 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971212288 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971208192 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971208192 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971204096 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971204096 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971200000 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971200000 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x1ac024 @ 0x5ac024 previewer+0x190cd2 @ 0x590cd2 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637760 registers.edi: 1638104 registers.eax: 1971195904 registers.ebp: 1637800 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 1971195904 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184549376 registers.ebp: 1637768 registers.edx: 828023454 registers.ebx: 3537309792 registers.esi: 184549376 registers.ecx: 4294903528	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184553472 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184553472 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184557568 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184557568 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184561664 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184561664 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184565760 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184565760 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184569856 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184569856 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184573952 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184573952 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184578048 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184578048 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184582144 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184582144 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184586240 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184586240 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184590336 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184590336 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184594432 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184594432 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184598528 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184598528 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184602624 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184602624 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184606720 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184606720 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184610816 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184610816 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184614912 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184614912 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184619008 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184619008 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184623104 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184623104 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184627200 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184627200 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184631296 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184631296 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184635392 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184635392 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184639488 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184639488 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184643584 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184643584 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184647680 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184647680 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184651776 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184651776 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184655872 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184655872 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184659968 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184659968 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184664064 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184664064 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184668160 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184668160 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184672256 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184672256 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184676352 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184676352 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184680448 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184680448 registers.ecx: 1638264	1
__exception__ Oct. 6, 2023, 6:18 p.m.	stacktrace: previewer+0x19021a @ 0x59021a previewer+0x1d2bc0 @ 0x5d2bc0 previewer+0x1afd36 @ 0x5afd36 previewer+0x63560 @ 0x463560 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 30 ff 34 24 58 55 89 e5 81 c5 04 00 00 00 57 exception.symbol: previewer+0x12013c exception.instruction: push dword ptr [eax] exception.module: previewer.exe exception.exception_code: 0xc0000005 exception.offset: 1179964 exception.address: 0x52013c registers.esp: 1637728 registers.edi: 1638104 registers.eax: 184684544 registers.ebp: 1637768 registers.edx: 0 registers.ebx: 3537309792 registers.esi: 184684544 registers.ecx: 1638264	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 90 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fc000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2152 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2204 region_size: 9351168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2248 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 36864 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2364 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4161536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04000000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2420 region_size: 9351168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000730000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000008d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001fe0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (11 events)

file	C:\Users\test22\AppData\Local\Temp\kos1.exe
file	C:\Users\test22\AppData\Local\Temp\latestX.exe
file	C:\Program Files (x86)\PA Previewer\previewer.exe
file	C:\Users\test22\AppData\Local\Temp\set16.exe
file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\is-CLU6L.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\kos.exe
file	C:\Users\test22\AppData\Local\Temp\is-CLU6L.tmp\_isetup\_isdecmp.dll
file	C:\Users\test22\AppData\Local\Temp\is-CLU6L.tmp\_isetup\_iscrypt.dll

Drops a binary and executes it (7 events)

file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
file	C:\Users\test22\AppData\Local\Temp\kos1.exe
file	C:\Users\test22\AppData\Local\Temp\latestX.exe
file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\set16.exe
file	C:\Users\test22\AppData\Local\Temp\kos.exe

Drops an executable to the user AppData folder (10 events)

file	C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
file	C:\Users\test22\AppData\Local\Temp\is-CLU6L.tmp\_isetup\_isdecmp.dll
file	C:\Users\test22\AppData\Local\Temp\kos.exe
file	C:\Users\test22\AppData\Local\Temp\is-CLU6L.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub2.exe
file	C:\Users\test22\AppData\Local\Temp\is-CLU6L.tmp\_isetup\_iscrypt.dll
file	C:\Users\test22\AppData\Local\Temp\kos1.exe
file	C:\Users\test22\AppData\Local\Temp\is-CLU6L.tmp\_isetup\_RegDLL.tmp
file	C:\Users\test22\AppData\Local\Temp\set16.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 6, 2023, 6:18 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00fb1a00', u'virtual_address': u'0x00002000', u'entropy': 7.953331868067012, u'name': u'.text', u'virtual_size': u'0x00fb1844'}

entropy

7.95333186807

description

A section with a high entropy has been found

entropy

0.999875563851

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 6, 2023, 6:18 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 6, 2023, 6:18 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA Oct. 6, 2023, 6:18 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PA Previewer_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PA Previewer_is1	2
RegOpenKeyExA Oct. 6, 2023, 6:18 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PA Previewer_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\PA Previewer_is1	2
RegOpenKeyExA Oct. 6, 2023, 6:18 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PA Previewer_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PA Previewer_is1	2
RegOpenKeyExA Oct. 6, 2023, 6:18 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\PA Previewer_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\PA Previewer_is1	2

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\system32\net.exe" helpmsg 8

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2648 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Oct. 6, 2023, 6:18 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Oct. 6, 2023, 6:18 p.m.	module_name: snxhk module_address: 0x00000000 stack_pivoted: 0		3221225781	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 6, 2023, 6:18 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2648 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2152 called NtSetContextThread to modify thread in remote process 2648
NtSetContextThread Oct. 6, 2023, 6:18 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2648	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2152 resumed a thread in remote process 2648
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2648	1	0	0

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ Oct. 6, 2023, 6:18 p.m.	tid: 2752 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Executed a process and injected code into it, probably while unpacking (41 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2068	1	0
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2156 thread_handle: 0x0000039c process_identifier: 2152 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\toolspub2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\toolspub2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\toolspub2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003a4	1	1
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 2068	1	0
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2208 thread_handle: 0x000003b0 process_identifier: 2204 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003cc	1	1
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000003b4 suspend_count: 1 process_identifier: 2068	1	0
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2252 thread_handle: 0x000003bc process_identifier: 2248 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\kos1.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\kos1.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\kos1.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e4	1	1
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000003cc suspend_count: 1 process_identifier: 2068	1	0
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2304 thread_handle: 0x000003d4 process_identifier: 2300 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\latestX.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\latestX.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\latestX.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003fc	1	1
NtGetContextThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000003cc suspend_count: 1 process_identifier: 2068	1	0
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2424 thread_handle: 0x000003c4 process_identifier: 2420 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003a4	1	1
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2652 thread_handle: 0x0000007c process_identifier: 2648 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\toolspub2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\toolspub2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\toolspub2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Oct. 6, 2023, 6:18 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2648 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Oct. 6, 2023, 6:18 p.m.	process_identifier: 2648 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Oct. 6, 2023, 6:18 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2648 process_handle: 0x00000080	1	1
NtSetContextThread Oct. 6, 2023, 6:18 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4206040 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2648	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2648	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2248	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2248	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 2248	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2248	1	0
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2368 thread_handle: 0x00000374 process_identifier: 2364 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\set16.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\set16.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\set16.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000037c	1	1
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2248	1	0
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2504 thread_handle: 0x0000037c process_identifier: 2500 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\kos.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\kos.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\kos.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003bc	1	1
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2564 thread_handle: 0x00000128 process_identifier: 2560 current_directory: filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\is-F79MR.tmp\is-KOTGS.tmp" /SL4 $10164 "C:\Users\test22\AppData\Local\Temp\set16.exe" 1232936 52224 filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000124	1	1
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x0000000000000328 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Oct. 6, 2023, 6:18 p.m.	thread_handle: 0x000001a8 suspend_count: 1 process_identifier: 2560	1	0
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2692 thread_handle: 0x00000288 process_identifier: 2688 current_directory: C:\Windows\system32 filepath: track: 1 command_line: "C:\Windows\system32\net.exe" helpmsg 8 filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x00000294	1	1
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2752 thread_handle: 0x00000294 process_identifier: 2748 current_directory: C:\Program Files (x86)\PA Previewer filepath: track: 1 command_line: "C:\Program Files (x86)\PA Previewer\previewer.exe" -i filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x00000288	1	1
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2292 thread_handle: 0x00000288 process_identifier: 2240 current_directory: C:\Program Files (x86)\PA Previewer filepath: track: 1 command_line: "C:\Program Files (x86)\PA Previewer\previewer.exe" -s filepath_r: stack_pivoted: 0 creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE) inherit_handles: 0 process_handle: 0x00000294	1	1
CreateProcessInternalW Oct. 6, 2023, 6:18 p.m.	thread_identifier: 2856 thread_handle: 0x00000140 process_identifier: 2852 current_directory: filepath: track: 1 command_line: C:\Windows\system32\net1 helpmsg 8 filepath_r: stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 1 process_handle: 0x00000144	1	1

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.Win32.ShortLoader.4!c
DrWeb	Trojan.MulDropNET.43
MicroWorld-eScan	IL:Trojan.MSILZilla.9891
ALYac	IL:Trojan.MSILZilla.9891
Malwarebytes	Trojan.Crypt.MSIL.Generic
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
K7GW	Ransomware ( 005a8b921 )
K7AntiVirus	Ransomware ( 005a8b921 )
Arcabit	IL:Trojan.MSILZilla.D26A3
BitDefenderTheta	Gen:NN.ZemsilF.36738.@p0@a0cisOn
Cyren	W32/MSIL_Kryptik.FFY.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Agent.UZA
APEX	Malicious
Kaspersky	HEUR:Trojan-Downloader.MSIL.ShortLoader.gen
BitDefender	IL:Trojan.MSILZilla.9891
Avast	Win32:DropperX-gen [Drp]
Tencent	Msil.Trojan-Downloader.Shortloader.Iqil
Emsisoft	IL:Trojan.MSILZilla.9891 (B)
VIPRE	IL:Trojan.MSILZilla.9891
McAfee-GW-Edition	BehavesLike.Win32.Generic.wc
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.3141032e3b1e4f3e
Sophos	Troj/ILAgent-I
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=85)
Gridinsoft	Trojan.Win32.Glupteba.bot
Microsoft	Trojan:MSIL/Mokes.B!MTB
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.ShortLoader.gen
GData	IL:Trojan.MSILZilla.9891
Google	Detected
AhnLab-V3	Malware/Win.Generic.C4478643
McAfee	GenericRXQC-JD!3141032E3B1E
VBA32	Trojan.MSIL.Injector.gen
Cylance	unsafe
Panda	Trj/GdSda.A
Rising	Trojan.AntiVM!1.CF63 (CLASSIC)
Ikarus	Trojan.MSIL.Agent
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.FFMZ!tr
AVG	Win32:DropperX-gen [Drp]
Cybereason	malicious.63e2c3
DeepInstinct	MALICIOUS

zinda.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All