• No results found

This work is licensed under a Creative Commons Attribution 4.0 International License. To view a copy of this license visit

N/A
N/A
Protected

Academic year: 2021

Share "This work is licensed under a Creative Commons Attribution 4.0 International License. To view a copy of this license visit"

Copied!
43
0
0

Loading.... (view fulltext now)

Full text

(1)

Sample: c26859c4a7dce369457b656a5922876e

P3pper Reports - http://www.peppermalware.com.

P3pper Twitter - https://twitter.com/P3pperP0tts.

This report has been generated automatically by a set of malware analysis tools.

This work is licensed under a Creative Commons Attribution 4.0 International License. To view a copy of this license visit http://creativecommons.org/licenses/by/4.0/.

Classification: #STEALER #AVEMARIA (based on p3pperp0tts rules)

Analysis date: 2021-01-05 13:40:21 (p3pperp0tts platform's analysis date) Exe timestamp: 2020-12-09 22:47:43 (timestamp of the original sample)

Unpacked mods max timestamp: 2020-12-09 22:47:43 (higher timestamp of all the unpacked modules) VirusTotal analysis date: 2020-12-20 07:21:22 (date of last time that the sample was analyzed at vt)

Index

• Sample

• AV detections

• Virustotal

• Yara matches

• Threads tree

• Most Interesting behavior

• Most Interesting strings

• Hosts

• Dns queries

• Network traffic

• Full strings list

• Threads behaviour

• Network by processes

• Unpacked or injected modules

• Extra Information Recovered

• Configs Recovered

(2)

Sample

•md5: c26859c4a7dce369457b656a5922876e

AV detections

• Microsoft: Trojan:Win32/AveMaria.AM!MTB • Kaspersky: Trojan-Spy.Win32.AveMaria.dqa • Symantec: Ransom.Wannacry • Malwarebytes: Backdoor.AveMaria

Virustotal

• https://virustotal.com/es/file/640fb0d63a59e413c9a916160a9e2dd334f84734a70fc4c8e9c13509e168a0ff/analysis

Yara matches

The following yara rules have matched injected or unpacked modules's code or data areas.

(3)

Threads tree

The following tree represents sample's threads. T<index> is an alias for sample's threads (numeration is done in the order of threads creation). P<index> is an alias for processes owning sample's threads.

(4)

Most interesting behavior

The following list it's a collection of the most interesting events captured. This list is ordered by the score assigned to the event. In the section "Threads behavioural information" it's possible to find all the actions performed by each sample's thread ordered chronologically.

(5)

Most interesting strings

The following list it's a collection of the most interesting strings found in the sample's modules (unpacked modules too) code or data.

• wcsncpy_s(names->szCodePage, (sizeof(*__countof_helper(names->szCodePage)) + 0), wlocale, len)

• wcsncpy_s(_psetloc_data->_cacheLocaleName, (sizeof(*__countof_helper(_psetloc_data->_cacheLocaleName)) + 0), lpLocaleString, wcslen(lpLocaleString) + 1)

• !This program cannot be run in DOS mode. • .?AVbad_exception@std@@

• __acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required

• wcsncpy_s(lpOutStr->szCodePage, (sizeof(*__countof_helper(lpOutStr->szCodePage)) + 0), L"utf8", 5) • .?AVbad_alloc@std@@

• <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">

• !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~

• wcsncpy_s(_psetloc_data->_cacheLocaleName, (sizeof(*__countof_helper(_psetloc_data->_cacheLocaleName)) + 0), localeName, wcslen(localeName) + 1)

• wcsncpy_s(names->szCountry, (sizeof(*__countof_helper(names->szCountry)) + 0), wlocale, len) • <?xml version='1.0' encoding='UTF-8' standalone='yes'?>

• traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))

• <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

• wcsncpy_s(lpOutStr->szLocaleName, (sizeof(*__countof_helper(lpOutStr->szLocaleName)) + 0), _psetloc_data->_cacheLocaleName, wcslen(_psetloc_data->_cacheLocaleName) + 1) • api-ms-win-core-synch-l1-2-0.dll • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\eh\\std_exception.cpp • .?AVbad_array_new_length@std@@ • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\eh\\std_type_info.cpp • C:\\Users\\p3pp3r\\Downloads\\p3pp3rsamp.exe

• ((destination)) != NULL && ((size_in_elements)) > 0 • Base Class Array'

• For information on how your program can cause an assertion • LocaleNameToLCID

• `copy constructor closure'

• ("Corrupted pointer passed to _freea", 0) • (L"String is not null terminated" && 0) • `managed vector copy constructor iterator' • _CrtSetReportMode

• <requestedExecutionLevel level='asInvoker' uiAccess='false' /> • _itoa_s(nLine, szLineMessage, 4096, 10)

• CoReleaseServerProcess

• minkernel\\crts\\ucrt\\src\\appcrt\\heap\\debug_heap.cpp • ERROR : Unable to initialize critical section in CAtlModule • atlTraceGeneral

• .?AVpairNode@@ • .?AVpDNameNode@@

• `vector copy constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\misc\\dbgrptt.cpp • .?AVCAtlModule@ATL@@ • api-ms-win-appmodel-runtime-l1-1-2 • SetWindowLongA • template-parameter-• `local vftable' • .?AVCAtlException@ATL@@ • Program: %ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls • .?AVtype_info@@

(6)

• minkernel\\crts\\ucrt\\src\\appcrt\\startup\\argv_parsing.cpp • QueryPerformanceCounter

• AtlThunk_DataToCode

• __crt_strtox::c_string_character_source<char>::validate

• wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String") • abort() has been called

• TerminateProcess

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atltrace.h • `dynamic initializer for '

• minkernel\\crts\\ucrt\\src\\appcrt\\locale\\locale_refcounting.cpp • .?AVDNameStatusNode@@

• `vector vbase copy constructor iterator' • cached_fp == invalid_function_sentinel() • InterlockedFlushSList • atlTraceString • utput::string_output_adapter<wchar_t>,class __crt_stdio_output::format_validation_base<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t> > >::type_case_integer • _set_new_mode • ext-ms-win-ntuser-dialogbox-l1-1-0 • cached_handle == INVALID_HANDLE_VALUE • atlTraceControls

• Buffer is too small

• minkernel\\crts\\ucrt\\src\\appcrt\\misc\\errno.cpp • `vector vbase constructor iterator'

• minkernel\\crts\\ucrt\\inc\\corecrt_internal_stdio.h • GetSystemTimeAsFileTime

• ERROR : Unable to initialize critical section in CAtlBaseModule • to->_What == nullptr && to->_DoFree == false

• __crt_strtox::c_string_character_source<wchar_t>::validate • common_message_window

• _p != nullptr • _VCrtDbgReportW

• `eh vector vbase copy constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\string\\stricmp.cpp • operator co_await

`generic-class-parameter-• (ptloci->lc_category[category].locale != nullptr && ptloci->lc_category[category].refcount != nullptr) || (ptloci->lc_category[category].locale == nullptr && ptloci->lc_category[category].refcount == nullptr) • `local static destructor helper'

• strcat_s(szLineMessage, 4096, "\\r") • atlTraceHosting • .?AVcharNode@@ • .?AVDNameNode@@ • GetEnabledXStateFeatures • atlTraceDBProvider • LCMapStringW

• strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!") • `local vftable constructor closure'

• `eh vector vbase constructor iterator' • CreateEventW

• `default constructor closure'

• e = mbstowcs_s(&ret;, szOutMessage2, 4096, szOutMessage, ((size_t)-1)) • HeapValidate

• LocateXStateFeature • atlTraceRegistrar

(7)

• `virtual displacement map'

• C:\\Users\\W7H64\\Desktop\\VCSamples-master\\VC2010Samples\\ATL\\General\\AtlCon\\bitcoin coinjoin op.pdb • AppPolicyGetThreadInitializationType

• GetProcAddress

• api-ms-win-security-systemfunctions-l1-1-0 • api-ms-win-core-localization-obsolete-l1-2-0 • common_tcscpy_s

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atltransactionmanager.h • .?AV?$CAtlExeModuleT@VCATLConModule@@@ATL@@ • (((HRESULT)(hr)) >= 0) • GetCurrentThreadId • GetConsoleMode • stream != nullptr • SetThreadStackGuarantee • GetCurrentProcess • src != nullptr • CreateThread • atlTraceWindowing

• false && "Too many categories defined" • SetConsoleCtrlHandler

• strcat_s(szLineMessage, 4096, "\\n") • 0 && "Use OBJECT_ENTRY_NON_CREATEABLE_EX • common_tcscat_s

• fMode == _CRTDBG_REPORT_MODE || (fMode & ~(_CRTDBG_MODE_FILE | _CRTDBG_MODE_DEBUG | _CRTDBG_MODE_WNDW)) == 0 • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcstartup\\src\\misc\\thread_safe_statics.cpp

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlconv.h • mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments

• d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\internal\\winapi_downlevel.cpp • strcpy_s(szOutMessage, 4096, szLineMessage)

• UnregisterClassA

• failure, see the Visual C++ documentation on asserts. • `local static thread guard'

• UnhandledExceptionFilter • IsValidLocaleName • result != nullptr

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlexcept.h • EncodePointer • api-ms-win-core-localization-l1-2-1 • __crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_validation_base<char,class __crt_stdio_output::string_output_adapter<char> > >::state_case_normal_tchar • IsValidCodePage

• ( (_Stream.is_string_backed()) || (fn = _fileno(_Stream.public_stream()), ((_textmode_safe(fn) == __crt_lowio_text_mode::ansi) && !_tm_unicode_safe(fn))))

• __crt_strtox::c_string_character_source<wchar_t>::unget • `vector deleting destructor'

• CorExitProcess • common_configure_argv

• minkernel\\crts\\ucrt\\src\\appcrt\\string\\wcsicmp.cpp • `udt returning'

• `local static guard' • GetCurrentProcessId • __acrt_copy_locale_name

(8)

• .?AU_ATL_MODULE70@ATL@@ • `omni callsig' • GetXStateFeaturesMask

• Microsoft Visual C++ Runtime Library • strcat_s(szLineMessage, 4096, szUserMessage) • <program name unknown>

• wcscpy_s(locale, numberOfElements, names->szLanguage)

• .?AU?$CAtlValidateModuleConfiguration@$0A@VCATLConModule@@@ATL@@ • __acrt_get_qualified_locale

• __atl_condVal • GetTimeFormatW

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlcomcli.h • Type Descriptor' • `generic-method-parameter-• .?AV?$CAtlModuleT@VCATLConModule@@@ATL@@ • GetUserDefaultLCID • GetDateFormatW • FlushFileBuffers • minkernel\\crts\\ucrt\\inc\\corecrt_internal_strtox.h • AreFileApisANSI • </trustInfo>

• strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error") • </requestedPrivileges>

• CoAddRefServerProcess • new_hook != nullptr • atlTraceSync

• traits::tcscpy_s(variable.get(), required_count, source_it) • GetUserDefaultLocaleName • _itow_s(nLine, szLineMessage, 4096, 10) • SetUnhandledExceptionFilter • common_set_report_hook • TranslateMessage • MultiByteToWideChar

• `template static data member destructor helper' • c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlalloc.h • GetSystemTimePreciseAsFileTime

• abcdefghijklmnopqrstuvwxyz • _set_controlfp

• `template static data member constructor helper' •

`template-type-parameter-• `anonymous namespace' • dst != nullptr

• String is not null terminated • OutputDebugStringW

• InterlockedPushEntrySList • bad allocation

• GetLocaleNameFromDefault

• wcsncpy_s(localeNameCopy, cch+1, localeName, cch+1) • (Press Retry to debug the application)

• mode == 0 || mode == 1

• strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error") • __crt_strtox::parse_integer

• `vbase destructor'

• `scalar deleting destructor'

(9)

• `eh vector copy constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\heap\\new_mode.cpp • api-ms-win-core-winrt-l1-1-0

• atlTraceSnapin

• ERROR : Unable to initialize critical section in CAtlComModule • GetTextMetricsA • minkernel\\crts\\ucrt\\inc\\corecrt_internal_string_templates.h • api-ms-win-rtcore-ntuser-window-l1-1-0 • minkernel\\crts\\ucrt\\src\\appcrt\\stdio\\output.cpp • CallWindowProcA • cli::pin_ptr< • _get_doserrno • minkernel\\crts\\ucrt\\src\\appcrt\\misc\\dbgrpt.cpp • .?AUIAtlMemMgr@ATL@@ • minkernel\\crts\\ucrt\\devdiv\\vcruntime\\inc\\internal_shared.h • GetCurrentThread

• base == 0 || (2 <= base && base <= 36) • common_tcsncpy_s • api-ms-win-core-xstate-l2-1-0 • LCIDToLocaleName • api-ms-win-core-synch-l1-2-0 • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\internal\\per_thread_data.cpp • minkernel\\crts\\ucrt\\src\\appcrt\\locale\\inittime.cpp

• _controlfp_s(((void *)0), newctrl, mask & ~0x00080000) • GetSystemInfo

• ("Invalid input value", 0)

• __crt_strtox::c_string_character_source<char>::unget • api-ms-win-core-fibers-l1-1-1

• wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error") • std::nullptr_t

• .?AVpcharNode@@

• `dynamic atexit destructor for ' • CompareStringW • minkernel\\crts\\ucrt\\src\\appcrt\\tran\\contrlfp.c • `unknown ecsu' • .?AVCWin32Heap@ATL@@ • api-ms-win-core-file-l1-2-2 • DefWindowProcA • api-ms-win-core-sysinfo-l1-2-1

• _CrtDbgReport: String too long or Invalid characters in String • pbstrPath != 0 && ppTypeLib != 0

• bad array new length

• mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE • Class Hierarchy Descriptor'

• minkernel\\crts\\ucrt\\src\\appcrt\\startup\\onexit.cpp • GetWindowLongA • atlTraceTime • DecodePointer • `non-type-template-parameter • api-ms-win-core-datetime-l1-1-1 • atlTraceUtil • ext-ms-win-ntuser-windowstation-l1-1-0 • .?AUIAtlStringMgr@ATL@@ • Program: %hs%ls%ls%hs%ls%hs%ls%hs%ls%ls%hs%ls • <requestedPrivileges> • `template-parameter • `placement delete closure'

(10)

• api-ms-win-core-processthreads-l1-1-2 • .?AVCAtlStringMgr@ATL@@ • api-ms-win-core-string-l1-1-0 • generic-type-• AtlThrow: hr = 0x%x • atlTraceNotImpl • __lc_lctowcs • bad exception

• `eh vector constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\internal\\winapi_thunks.cpp • InitializeSListHead

• `placement delete[] closure' • .?AVexception@std@@

• (L"Buffer is too small" && 0)

• __crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_validation_base<char,class __crt_stdio_output::string_output_adapter<char> > >::type_case_integer

• `eh vector destructor iterator' • Base Class Descriptor at ( • atlTraceStencil

• InterlockedPopEntrySList

• _CrtDbgReport: String too long or IO Error

• minkernel\\crts\\ucrt\\src\\appcrt\\tran\\i386\\ieee87.c • c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlbase.h • IsDebuggerPresent • WideCharToMultiByte • CoCreateInstance • FlushInstructionCache • VirtualAlloc • FindNextFileW • GetTimeFormatEx • GetConsoleCP • GetLastError • LeaveCriticalSection • GetProcessWindowStation • FindFirstFileExW • GetProcessHeap • VirtualProtect • EnumSystemLocalesEx • GetWindowRect • InitializeConditionVariable • InitializeCriticalSectionEx • GetWindowTextA • GetWindowTextLengthA • SetStdHandle • GetLocaleInfoW • FreeEnvironmentStringsW • DeleteCriticalSection • RegOpenKeyTransactedA • WriteConsoleW • GetModuleHandleW • GetModuleHandleA • RegisterClassExA • GetCommandLineA • GetCommandLineW • WaitForSingleObjectEx

(11)

• RegDeleteKeyA • PostThreadMessageA • CreateEventA • IsValidLocale • SleepConditionVariableCS • SetWindowTextA • GetStartupInfoW • WakeAllConditionVariable • VirtualQuery • RegDeleteKeyExA • CreateWindowExA • EnumSystemLocalesW • SetLastError • GetStringTypeW • RegOpenKeyExA • RegQueryInfoKeyA • HeapQueryInformation • GetEnvironmentStringsW • GetFileSizeEx • EnterCriticalSection • SetFilePointerEx • RegDeleteKeyTransactedA • GetModuleFileNameA • GetClassInfoExA • GetModuleFileNameW • GetActiveWindow • DispatchMessageA • InitializeCriticalSectionAndSpinCount • RaiseException • CompareStringEx • LCMapStringEx • GetDateFormatEx • GetLocaleInfoEx • GetLastActivePopup • SystemFunction036 • ReadConsoleW • GetModuleHandleExW • IsProcessorFeaturePresent • SetEnvironmentVariableW • LoadLibraryExW • LoadLibraryExA • GetUserObjectInformationW • GetClientRect • SendMessageA • WaitForSingleObject • GetStdHandle

(12)

Hosts

• 192.168.239.1:5353 • 192.168.239.224:49172 • 224.0.0.251:5353 • 72.247.177.183:80

(13)

Dns queries

• 255.239.168.192.in-addr.arpa ---> no answers • 2.239.168.192.in-addr.arpa ---> no answers • 1.239.168.192.in-addr.arpa ---> no answers • isatap.localdomain ---> no answers • 250.255.255.239.in-addr.arpa ---> no answers

(14)

Network traffic

This section contains the readable content of the captured network traffic classified by established connections.

• tcp 192.168.239.224:49172 ---> 72.247.177.183:80

GET /pki/crl/products/WinPCA.crl HTTP/1.1[...]If-Modified-Since: Wed, 02 Dec 2015 18:30:06 GMT[...]Cache-Control: max-age = 900[...]User-Agent: Microsoft-CryptoAPI/6.1[...]Host: crl.microsoft.com[...]If-None-Match:

"0cb60772f2dd11:0"[...]Connection: Keep-Alive

• tcp 72.247.177.183:80 ---> 192.168.239.224:49172

x-ms-blob-type: BlockBlob[...]Content-Length: 530[...]Content-Type: application/pkix-crl[...]HTTP/1.1 200

OK[...]Date: Tue, 05 Jan 2021 11:50:08 GMT[...]430418080000Z[...]151202080000Z[...]HTTP/1.1 200 OK[...]Content-MD5: Xiddt2GqWiOsZRr49sSgAA==[...]x-ms-lease-status: unlocked[...]x-ms-version: 2009-09-19[...]Last-Modified: Tue, 08 May 2018 21:14:18 GMT[...]x-ms-request-id: f663655e-101e-0084-6eff-691158000000[...]Connection:

Keep-Alive[...]Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0[...]Microsoft Corporation1+0)[...]ETag: 0x8D5B528A905E7D5[...]"Microsoft Windows Verification PCA

• udp 192.168.239.1:5353 ---> 224.0.0.251:5353

(15)

Full strings list

The following list it's a collection of all the strings found in the sample's modules (unpacked modules too) code or data.

• wcsncpy_s(names->szCodePage, (sizeof(*__countof_helper(names->szCodePage)) + 0), wlocale, len)

• wcsncpy_s(_psetloc_data->_cacheLocaleName, (sizeof(*__countof_helper(_psetloc_data->_cacheLocaleName)) + 0), lpLocaleString, wcslen(lpLocaleString) + 1)

• !This program cannot be run in DOS mode. • .?AVbad_exception@std@@

• __acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required

• wcsncpy_s(lpOutStr->szCodePage, (sizeof(*__countof_helper(lpOutStr->szCodePage)) + 0), L"utf8", 5) • .?AVbad_alloc@std@@

• <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">

• !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~

• wcsncpy_s(_psetloc_data->_cacheLocaleName, (sizeof(*__countof_helper(_psetloc_data->_cacheLocaleName)) + 0), localeName, wcslen(localeName) + 1)

• wcsncpy_s(names->szCountry, (sizeof(*__countof_helper(names->szCountry)) + 0), wlocale, len) • <?xml version='1.0' encoding='UTF-8' standalone='yes'?>

• traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))

• <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

• wcsncpy_s(lpOutStr->szLocaleName, (sizeof(*__countof_helper(lpOutStr->szLocaleName)) + 0), _psetloc_data->_cacheLocaleName, wcslen(_psetloc_data->_cacheLocaleName) + 1) • api-ms-win-core-synch-l1-2-0.dll • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\eh\\std_exception.cpp • .?AVbad_array_new_length@std@@ • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\eh\\std_type_info.cpp • C:\\Users\\p3pp3r\\Downloads\\p3pp3rsamp.exe

• ((destination)) != NULL && ((size_in_elements)) > 0 • Base Class Array'

• For information on how your program can cause an assertion • LocaleNameToLCID

• `copy constructor closure'

• ("Corrupted pointer passed to _freea", 0) • (L"String is not null terminated" && 0) • `managed vector copy constructor iterator' • _CrtSetReportMode

• <requestedExecutionLevel level='asInvoker' uiAccess='false' /> • _itoa_s(nLine, szLineMessage, 4096, 10)

• CoReleaseServerProcess

• minkernel\\crts\\ucrt\\src\\appcrt\\heap\\debug_heap.cpp • ERROR : Unable to initialize critical section in CAtlModule • atlTraceGeneral

• .?AVpairNode@@ • .?AVpDNameNode@@

• `vector copy constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\misc\\dbgrptt.cpp • .?AVCAtlModule@ATL@@ • api-ms-win-appmodel-runtime-l1-1-2 • SetWindowLongA • template-parameter-• `local vftable' • .?AVCAtlException@ATL@@ • Program: %ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls • .?AVtype_info@@

(16)

• minkernel\\crts\\ucrt\\src\\appcrt\\startup\\argv_parsing.cpp • QueryPerformanceCounter

• AtlThunk_DataToCode

• __crt_strtox::c_string_character_source<char>::validate

• wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String") • abort() has been called

• TerminateProcess

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atltrace.h • `dynamic initializer for '

• minkernel\\crts\\ucrt\\src\\appcrt\\locale\\locale_refcounting.cpp • .?AVDNameStatusNode@@

• `vector vbase copy constructor iterator' • cached_fp == invalid_function_sentinel() • InterlockedFlushSList • atlTraceString • utput::string_output_adapter<wchar_t>,class __crt_stdio_output::format_validation_base<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t> > >::type_case_integer • _set_new_mode • ext-ms-win-ntuser-dialogbox-l1-1-0 • cached_handle == INVALID_HANDLE_VALUE • atlTraceControls

• Buffer is too small

• minkernel\\crts\\ucrt\\src\\appcrt\\misc\\errno.cpp • `vector vbase constructor iterator'

• minkernel\\crts\\ucrt\\inc\\corecrt_internal_stdio.h • GetSystemTimeAsFileTime

• ERROR : Unable to initialize critical section in CAtlBaseModule • to->_What == nullptr && to->_DoFree == false

• __crt_strtox::c_string_character_source<wchar_t>::validate • common_message_window

• _p != nullptr • _VCrtDbgReportW

• `eh vector vbase copy constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\string\\stricmp.cpp • operator co_await

`generic-class-parameter-• (ptloci->lc_category[category].locale != nullptr && ptloci->lc_category[category].refcount != nullptr) || (ptloci->lc_category[category].locale == nullptr && ptloci->lc_category[category].refcount == nullptr) • `local static destructor helper'

• strcat_s(szLineMessage, 4096, "\\r") • atlTraceHosting • .?AVcharNode@@ • .?AVDNameNode@@ • GetEnabledXStateFeatures • atlTraceDBProvider • LCMapStringW

• strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!") • `local vftable constructor closure'

• `eh vector vbase constructor iterator' • CreateEventW

• `default constructor closure'

• e = mbstowcs_s(&ret;, szOutMessage2, 4096, szOutMessage, ((size_t)-1)) • HeapValidate

• LocateXStateFeature • atlTraceRegistrar

(17)

• `virtual displacement map'

• C:\\Users\\W7H64\\Desktop\\VCSamples-master\\VC2010Samples\\ATL\\General\\AtlCon\\bitcoin coinjoin op.pdb • AppPolicyGetThreadInitializationType

• GetProcAddress

• api-ms-win-security-systemfunctions-l1-1-0 • api-ms-win-core-localization-obsolete-l1-2-0 • common_tcscpy_s

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atltransactionmanager.h • .?AV?$CAtlExeModuleT@VCATLConModule@@@ATL@@ • (((HRESULT)(hr)) >= 0) • GetCurrentThreadId • GetConsoleMode • stream != nullptr • SetThreadStackGuarantee • GetCurrentProcess • src != nullptr • CreateThread • atlTraceWindowing

• false && "Too many categories defined" • SetConsoleCtrlHandler

• strcat_s(szLineMessage, 4096, "\\n") • 0 && "Use OBJECT_ENTRY_NON_CREATEABLE_EX • common_tcscat_s

• fMode == _CRTDBG_REPORT_MODE || (fMode & ~(_CRTDBG_MODE_FILE | _CRTDBG_MODE_DEBUG | _CRTDBG_MODE_WNDW)) == 0 • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcstartup\\src\\misc\\thread_safe_statics.cpp

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlconv.h • mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments

• d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\internal\\winapi_downlevel.cpp • strcpy_s(szOutMessage, 4096, szLineMessage)

• UnregisterClassA

• failure, see the Visual C++ documentation on asserts. • `local static thread guard'

• UnhandledExceptionFilter • IsValidLocaleName • result != nullptr

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlexcept.h • EncodePointer • api-ms-win-core-localization-l1-2-1 • __crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_validation_base<char,class __crt_stdio_output::string_output_adapter<char> > >::state_case_normal_tchar • IsValidCodePage

• ( (_Stream.is_string_backed()) || (fn = _fileno(_Stream.public_stream()), ((_textmode_safe(fn) == __crt_lowio_text_mode::ansi) && !_tm_unicode_safe(fn))))

• __crt_strtox::c_string_character_source<wchar_t>::unget • `vector deleting destructor'

• CorExitProcess • common_configure_argv

• minkernel\\crts\\ucrt\\src\\appcrt\\string\\wcsicmp.cpp • `udt returning'

• `local static guard' • GetCurrentProcessId • __acrt_copy_locale_name

(18)

• .?AU_ATL_MODULE70@ATL@@ • `omni callsig' • GetXStateFeaturesMask

• Microsoft Visual C++ Runtime Library • strcat_s(szLineMessage, 4096, szUserMessage) • <program name unknown>

• wcscpy_s(locale, numberOfElements, names->szLanguage)

• .?AU?$CAtlValidateModuleConfiguration@$0A@VCATLConModule@@@ATL@@ • __acrt_get_qualified_locale

• __atl_condVal • GetTimeFormatW

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlcomcli.h • Type Descriptor' • `generic-method-parameter-• .?AV?$CAtlModuleT@VCATLConModule@@@ATL@@ • GetUserDefaultLCID • GetDateFormatW • FlushFileBuffers • minkernel\\crts\\ucrt\\inc\\corecrt_internal_strtox.h • AreFileApisANSI • </trustInfo>

• strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error") • </requestedPrivileges>

• CoAddRefServerProcess • new_hook != nullptr • atlTraceSync

• traits::tcscpy_s(variable.get(), required_count, source_it) • GetUserDefaultLocaleName • _itow_s(nLine, szLineMessage, 4096, 10) • SetUnhandledExceptionFilter • common_set_report_hook • TranslateMessage • MultiByteToWideChar

• `template static data member destructor helper' • c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlalloc.h • GetSystemTimePreciseAsFileTime

• abcdefghijklmnopqrstuvwxyz • _set_controlfp

• `template static data member constructor helper' •

`template-type-parameter-• `anonymous namespace' • dst != nullptr

• String is not null terminated • OutputDebugStringW

• InterlockedPushEntrySList • bad allocation

• GetLocaleNameFromDefault

• wcsncpy_s(localeNameCopy, cch+1, localeName, cch+1) • (Press Retry to debug the application)

• mode == 0 || mode == 1

• strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error") • __crt_strtox::parse_integer

• `vbase destructor'

• `scalar deleting destructor'

(19)

• `eh vector copy constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\heap\\new_mode.cpp • api-ms-win-core-winrt-l1-1-0

• atlTraceSnapin

• ERROR : Unable to initialize critical section in CAtlComModule • GetTextMetricsA • minkernel\\crts\\ucrt\\inc\\corecrt_internal_string_templates.h • api-ms-win-rtcore-ntuser-window-l1-1-0 • minkernel\\crts\\ucrt\\src\\appcrt\\stdio\\output.cpp • CallWindowProcA • cli::pin_ptr< • _get_doserrno • minkernel\\crts\\ucrt\\src\\appcrt\\misc\\dbgrpt.cpp • .?AUIAtlMemMgr@ATL@@ • minkernel\\crts\\ucrt\\devdiv\\vcruntime\\inc\\internal_shared.h • GetCurrentThread

• base == 0 || (2 <= base && base <= 36) • common_tcsncpy_s • api-ms-win-core-xstate-l2-1-0 • LCIDToLocaleName • api-ms-win-core-synch-l1-2-0 • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\internal\\per_thread_data.cpp • minkernel\\crts\\ucrt\\src\\appcrt\\locale\\inittime.cpp

• _controlfp_s(((void *)0), newctrl, mask & ~0x00080000) • GetSystemInfo

• ("Invalid input value", 0)

• __crt_strtox::c_string_character_source<char>::unget • api-ms-win-core-fibers-l1-1-1

• wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error") • std::nullptr_t

• .?AVpcharNode@@

• `dynamic atexit destructor for ' • CompareStringW • minkernel\\crts\\ucrt\\src\\appcrt\\tran\\contrlfp.c • `unknown ecsu' • .?AVCWin32Heap@ATL@@ • api-ms-win-core-file-l1-2-2 • DefWindowProcA • api-ms-win-core-sysinfo-l1-2-1

• _CrtDbgReport: String too long or Invalid characters in String • pbstrPath != 0 && ppTypeLib != 0

• bad array new length

• mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE • Class Hierarchy Descriptor'

• minkernel\\crts\\ucrt\\src\\appcrt\\startup\\onexit.cpp • GetWindowLongA • atlTraceTime • DecodePointer • `non-type-template-parameter • api-ms-win-core-datetime-l1-1-1 • atlTraceUtil • ext-ms-win-ntuser-windowstation-l1-1-0 • .?AUIAtlStringMgr@ATL@@ • Program: %hs%ls%ls%hs%ls%hs%ls%hs%ls%ls%hs%ls • <requestedPrivileges> • `template-parameter • `placement delete closure'

(20)

• api-ms-win-core-processthreads-l1-1-2 • .?AVCAtlStringMgr@ATL@@ • api-ms-win-core-string-l1-1-0 • generic-type-• AtlThrow: hr = 0x%x • atlTraceNotImpl • __lc_lctowcs • bad exception

• `eh vector constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\internal\\winapi_thunks.cpp • InitializeSListHead

• `placement delete[] closure' • .?AVexception@std@@

• (L"Buffer is too small" && 0)

• __crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_validation_base<char,class __crt_stdio_output::string_output_adapter<char> > >::type_case_integer

• `eh vector destructor iterator' • Base Class Descriptor at ( • atlTraceStencil

• InterlockedPopEntrySList

• _CrtDbgReport: String too long or IO Error

• minkernel\\crts\\ucrt\\src\\appcrt\\tran\\i386\\ieee87.c • c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlbase.h • IsDebuggerPresent • WideCharToMultiByte • CoCreateInstance • FlushInstructionCache • VirtualAlloc • FindNextFileW • GetTimeFormatEx • GetConsoleCP • GetLastError • LeaveCriticalSection • GetProcessWindowStation • FindFirstFileExW • GetProcessHeap • VirtualProtect • EnumSystemLocalesEx • GetWindowRect • InitializeConditionVariable • InitializeCriticalSectionEx • GetWindowTextA • GetWindowTextLengthA • SetStdHandle • GetLocaleInfoW • FreeEnvironmentStringsW • DeleteCriticalSection • RegOpenKeyTransactedA • WriteConsoleW • GetModuleHandleW • GetModuleHandleA • RegisterClassExA • GetCommandLineA • GetCommandLineW • WaitForSingleObjectEx

(21)

• RegDeleteKeyA • PostThreadMessageA • CreateEventA • IsValidLocale • SleepConditionVariableCS • SetWindowTextA • GetStartupInfoW • WakeAllConditionVariable • VirtualQuery • RegDeleteKeyExA • CreateWindowExA • EnumSystemLocalesW • SetLastError • GetStringTypeW • RegOpenKeyExA • RegQueryInfoKeyA • HeapQueryInformation • GetEnvironmentStringsW • GetFileSizeEx • EnterCriticalSection • SetFilePointerEx • RegDeleteKeyTransactedA • GetModuleFileNameA • GetClassInfoExA • GetModuleFileNameW • GetActiveWindow • DispatchMessageA • InitializeCriticalSectionAndSpinCount • RaiseException • CompareStringEx • LCMapStringEx • GetDateFormatEx • GetLocaleInfoEx • GetLastActivePopup • SystemFunction036 • ReadConsoleW • GetModuleHandleExW • IsProcessorFeaturePresent • SetEnvironmentVariableW • LoadLibraryExW • LoadLibraryExA • GetUserObjectInformationW • GetClientRect • SendMessageA • WaitForSingleObject • GetStdHandle • RoUninitialize • hKeyParent != 0 • `vtordispex{ • _CrtSetReportFile • Assertion failed

• `managed vector constructor iterator' • create_environment

• AppPolicyGetShowDeveloperDiagnostic • RoInitialize

• CoRevokeClassObject • CoUninitialize

(22)

• oleaut32.dll • AppPolicyGetWindowingModel • (((source))) != NULL • cached_handle == new_handle • CoResumeClassObjects • AtlThunk_AllocateData • File

• Complete Object Locator' • kernel32.dll • minkernel\\crts\\ucrt\\src\\desktopcrt\\env\\environment_initialization.cpp • hInstTypeLib != 0 • SelectObject • wlocale, len) • CoInitialize

• `managed vector destructor iterator' • _pAtlModule == 0 • minkernel\\crts\\ucrt\\src\\appcrt\\locale\\getstringtypea.cpp • LangCountryEnumProcEx • atlTraceAllocation • _VCrtDbgReportA • atlTraceCache • Assertion failed: • atlTraceSecurity • AppPolicyGetProcessTerminationMethod • AtlThunk_FreeData • Unknown exception • atlTraceException • .?AVCATLConModule@@ • AtlThunk_InitData • advapi32.dll

• `vector constructor iterator' • atlTraceRefcount

• atlTraceISAPI • LanguageEnumProcEx

• `vector destructor iterator' • CoRegisterClassObject • StringFromGUID2 • __vectorcall • <file unknown> • atlTraceDBClient • hAdvAPI32 != 0 • Assertion failed! • @atlTraceISAPI • _controlfp_s • c == '\\0' || *_p == c • _CrtCheckMemory() • cached_fp == new_fp • atlthunk.dll

(23)

Threads behaviour

In this section it's possible to find information about sample's threads, such as the actions performed by each sample's thread ordered chronologically.

(24)

Network by processes

The analysis environment tries to capture and collect network actions performed by sample's threads.

(25)

Unpacked or injected modules

In this section it's possible to find information about sample's modules, such as the rich signatures and strings

• Module 1 (probably unpacked / injected by the sample)

• Module 1 rich signatures

• 44616e53000000000000000000000000656603010d000000656605019700000052680401120000005268030115000000526805012f0000006 566040114000000656601010d000000000001009c0000009b690501030000009b69ff00010000009b690201

• Module 1 strings

• Module 1 most interesting strings

• wcsncpy_s(names->szCodePage, (sizeof(*__countof_helper(names->szCodePage)) + 0), wlocale, len)

• wcsncpy_s(_psetloc_data->_cacheLocaleName, (sizeof(*__countof_helper(_psetloc_data->_cacheLocaleName)) + 0), lpLocaleString, wcslen(lpLocaleString) + 1)

• !This program cannot be run in DOS mode. • .?AVbad_exception@std@@

• __acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required

• wcsncpy_s(lpOutStr->szCodePage, (sizeof(*__countof_helper(lpOutStr->szCodePage)) + 0), L"utf8", 5) • .?AVbad_alloc@std@@

• <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">

• !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~

• wcsncpy_s(_psetloc_data->_cacheLocaleName, (sizeof(*__countof_helper(_psetloc_data->_cacheLocaleName)) + 0), localeName, wcslen(localeName) + 1)

• wcsncpy_s(names->szCountry, (sizeof(*__countof_helper(names->szCountry)) + 0), wlocale, len) • <?xml version='1.0' encoding='UTF-8' standalone='yes'?>

• traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))

• <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

• wcsncpy_s(lpOutStr->szLocaleName, (sizeof(*__countof_helper(lpOutStr->szLocaleName)) + 0), _psetloc_data->_cacheLocaleName, wcslen(_psetloc_data->_cacheLocaleName) + 1) • api-ms-win-core-synch-l1-2-0.dll • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\eh\\std_exception.cpp • .?AVbad_array_new_length@std@@ • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\eh\\std_type_info.cpp

• ((destination)) != NULL && ((size_in_elements)) > 0 • Base Class Array'

• For information on how your program can cause an assertion • LocaleNameToLCID

• `copy constructor closure'

• ("Corrupted pointer passed to _freea", 0) • (L"String is not null terminated" && 0) • `managed vector copy constructor iterator' • _CrtSetReportMode

• <requestedExecutionLevel level='asInvoker' uiAccess='false' /> • _itoa_s(nLine, szLineMessage, 4096, 10)

• CoReleaseServerProcess

• minkernel\\crts\\ucrt\\src\\appcrt\\heap\\debug_heap.cpp • ERROR : Unable to initialize critical section in CAtlModule • atlTraceGeneral

• .?AVpairNode@@ • .?AVpDNameNode@@

(26)

• `vector copy constructor iterator' • minkernel\\crts\\ucrt\\src\\appcrt\\misc\\dbgrptt.cpp • .?AVCAtlModule@ATL@@ • api-ms-win-appmodel-runtime-l1-1-2 • SetWindowLongA • template-parameter-• `local vftable' • .?AVCAtlException@ATL@@ • Program: %ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls • .?AVtype_info@@ • minkernel\\crts\\ucrt\\src\\appcrt\\startup\\argv_parsing.cpp • QueryPerformanceCounter • AtlThunk_DataToCode • __crt_strtox::c_string_character_source<char>::validate

• wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String") • abort() has been called

• TerminateProcess

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atltrace.h • `dynamic initializer for '

• minkernel\\crts\\ucrt\\src\\appcrt\\locale\\locale_refcounting.cpp • .?AVDNameStatusNode@@

• `vector vbase copy constructor iterator' • cached_fp == invalid_function_sentinel() • InterlockedFlushSList • atlTraceString • utput::string_output_adapter<wchar_t>,class __crt_stdio_output::format_validation_base<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t> > >::type_case_integer • _set_new_mode • ext-ms-win-ntuser-dialogbox-l1-1-0 • cached_handle == INVALID_HANDLE_VALUE • atlTraceControls

• Buffer is too small

• minkernel\\crts\\ucrt\\src\\appcrt\\misc\\errno.cpp • `vector vbase constructor iterator'

• minkernel\\crts\\ucrt\\inc\\corecrt_internal_stdio.h • GetSystemTimeAsFileTime

• ERROR : Unable to initialize critical section in CAtlBaseModule • to->_What == nullptr && to->_DoFree == false

• __crt_strtox::c_string_character_source<wchar_t>::validate • common_message_window

• _p != nullptr • _VCrtDbgReportW

• `eh vector vbase copy constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\string\\stricmp.cpp • operator co_await

`generic-class-parameter-• (ptloci->lc_category[category].locale != nullptr && ptloci->lc_category[category].refcount != nullptr) || (ptloci->lc_category[category].locale == nullptr && ptloci->lc_category[category].refcount == nullptr) • `local static destructor helper'

• strcat_s(szLineMessage, 4096, "\\r") • atlTraceHosting • .?AVcharNode@@ • .?AVDNameNode@@ • GetEnabledXStateFeatures • atlTraceDBProvider • LCMapStringW

(27)

• strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!") • `local vftable constructor closure'

• `eh vector vbase constructor iterator' • CreateEventW

• `default constructor closure'

• e = mbstowcs_s(&ret;, szOutMessage2, 4096, szOutMessage, ((size_t)-1)) • HeapValidate

• LocateXStateFeature • atlTraceRegistrar

• ("The hook function is not in the list!", 0) • `virtual displacement map'

• C:\\Users\\W7H64\\Desktop\\VCSamples-master\\VC2010Samples\\ATL\\General\\AtlCon\\bitcoin coinjoin op.pdb • AppPolicyGetThreadInitializationType

• GetProcAddress

• api-ms-win-security-systemfunctions-l1-1-0 • api-ms-win-core-localization-obsolete-l1-2-0 • common_tcscpy_s

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atltransactionmanager.h • .?AV?$CAtlExeModuleT@VCATLConModule@@@ATL@@ • (((HRESULT)(hr)) >= 0) • GetCurrentThreadId • GetConsoleMode • stream != nullptr • SetThreadStackGuarantee • GetCurrentProcess • src != nullptr • CreateThread • atlTraceWindowing

• false && "Too many categories defined" • SetConsoleCtrlHandler

• strcat_s(szLineMessage, 4096, "\\n") • 0 && "Use OBJECT_ENTRY_NON_CREATEABLE_EX • common_tcscat_s

• fMode == _CRTDBG_REPORT_MODE || (fMode & ~(_CRTDBG_MODE_FILE | _CRTDBG_MODE_DEBUG | _CRTDBG_MODE_WNDW)) == 0 • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcstartup\\src\\misc\\thread_safe_statics.cpp

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlconv.h • mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments

• d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\internal\\winapi_downlevel.cpp • strcpy_s(szOutMessage, 4096, szLineMessage)

• UnregisterClassA

• failure, see the Visual C++ documentation on asserts. • `local static thread guard'

• UnhandledExceptionFilter • IsValidLocaleName • result != nullptr

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlexcept.h • EncodePointer • api-ms-win-core-localization-l1-2-1 • __crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_validation_base<char,class __crt_stdio_output::string_output_adapter<char> > >::state_case_normal_tchar • IsValidCodePage

• ( (_Stream.is_string_backed()) || (fn = _fileno(_Stream.public_stream()), ((_textmode_safe(fn) == __crt_lowio_text_mode::ansi) && !_tm_unicode_safe(fn))))

(28)

• __crt_strtox::c_string_character_source<wchar_t>::unget • `vector deleting destructor'

• CorExitProcess • common_configure_argv

• minkernel\\crts\\ucrt\\src\\appcrt\\string\\wcsicmp.cpp • `udt returning'

• `local static guard' • GetCurrentProcessId • __acrt_copy_locale_name

• ("lc_time_curr unexpectedly has no remaining references", 0) • .?AU_ATL_MODULE70@ATL@@

• `omni callsig' • GetXStateFeaturesMask

• Microsoft Visual C++ Runtime Library • strcat_s(szLineMessage, 4096, szUserMessage) • <program name unknown>

• wcscpy_s(locale, numberOfElements, names->szLanguage)

• .?AU?$CAtlValidateModuleConfiguration@$0A@VCATLConModule@@@ATL@@ • __acrt_get_qualified_locale

• __atl_condVal • GetTimeFormatW

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlcomcli.h • Type Descriptor' • `generic-method-parameter-• .?AV?$CAtlModuleT@VCATLConModule@@@ATL@@ • GetUserDefaultLCID • GetDateFormatW • FlushFileBuffers • minkernel\\crts\\ucrt\\inc\\corecrt_internal_strtox.h • AreFileApisANSI • </trustInfo>

• strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error") • </requestedPrivileges>

• CoAddRefServerProcess • new_hook != nullptr • atlTraceSync

• traits::tcscpy_s(variable.get(), required_count, source_it) • GetUserDefaultLocaleName • _itow_s(nLine, szLineMessage, 4096, 10) • SetUnhandledExceptionFilter • common_set_report_hook • TranslateMessage • MultiByteToWideChar

• `template static data member destructor helper' • c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlalloc.h • GetSystemTimePreciseAsFileTime

• abcdefghijklmnopqrstuvwxyz • _set_controlfp

• `template static data member constructor helper' •

`template-type-parameter-• `anonymous namespace' • dst != nullptr

• String is not null terminated • OutputDebugStringW

(29)

• bad allocation

• GetLocaleNameFromDefault

• wcsncpy_s(localeNameCopy, cch+1, localeName, cch+1) • (Press Retry to debug the application)

• mode == 0 || mode == 1

• strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error") • __crt_strtox::parse_integer

• `vbase destructor'

• `scalar deleting destructor'

• nRptType >= 0 && nRptType < _CRT_ERRCNT • `eh vector copy constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\heap\\new_mode.cpp • api-ms-win-core-winrt-l1-1-0

• atlTraceSnapin

• ERROR : Unable to initialize critical section in CAtlComModule • GetTextMetricsA • minkernel\\crts\\ucrt\\inc\\corecrt_internal_string_templates.h • api-ms-win-rtcore-ntuser-window-l1-1-0 • minkernel\\crts\\ucrt\\src\\appcrt\\stdio\\output.cpp • CallWindowProcA • cli::pin_ptr< • _get_doserrno • minkernel\\crts\\ucrt\\src\\appcrt\\misc\\dbgrpt.cpp • .?AUIAtlMemMgr@ATL@@ • minkernel\\crts\\ucrt\\devdiv\\vcruntime\\inc\\internal_shared.h • GetCurrentThread

• base == 0 || (2 <= base && base <= 36) • common_tcsncpy_s • api-ms-win-core-xstate-l2-1-0 • LCIDToLocaleName • api-ms-win-core-synch-l1-2-0 • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\internal\\per_thread_data.cpp • minkernel\\crts\\ucrt\\src\\appcrt\\locale\\inittime.cpp

• _controlfp_s(((void *)0), newctrl, mask & ~0x00080000) • GetSystemInfo

• ("Invalid input value", 0)

• __crt_strtox::c_string_character_source<char>::unget • api-ms-win-core-fibers-l1-1-1

• wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error") • std::nullptr_t

• .?AVpcharNode@@

• `dynamic atexit destructor for ' • CompareStringW • minkernel\\crts\\ucrt\\src\\appcrt\\tran\\contrlfp.c • `unknown ecsu' • .?AVCWin32Heap@ATL@@ • api-ms-win-core-file-l1-2-2 • DefWindowProcA • api-ms-win-core-sysinfo-l1-2-1

• _CrtDbgReport: String too long or Invalid characters in String • pbstrPath != 0 && ppTypeLib != 0

• bad array new length

• mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE • Class Hierarchy Descriptor'

• minkernel\\crts\\ucrt\\src\\appcrt\\startup\\onexit.cpp • GetWindowLongA

(30)

• DecodePointer • `non-type-template-parameter • api-ms-win-core-datetime-l1-1-1 • atlTraceUtil • ext-ms-win-ntuser-windowstation-l1-1-0 • .?AUIAtlStringMgr@ATL@@ • Program: %hs%ls%ls%hs%ls%hs%ls%hs%ls%ls%hs%ls • <requestedPrivileges> • `template-parameter • `placement delete closure'

• api-ms-win-core-processthreads-l1-1-2 • .?AVCAtlStringMgr@ATL@@ • api-ms-win-core-string-l1-1-0 • generic-type-• AtlThrow: hr = 0x%x • atlTraceNotImpl • __lc_lctowcs • bad exception

• `eh vector constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\internal\\winapi_thunks.cpp • InitializeSListHead

• `placement delete[] closure' • .?AVexception@std@@

• (L"Buffer is too small" && 0)

• __crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_validation_base<char,class __crt_stdio_output::string_output_adapter<char> > >::type_case_integer

• `eh vector destructor iterator' • Base Class Descriptor at ( • atlTraceStencil

• InterlockedPopEntrySList

• _CrtDbgReport: String too long or IO Error

• minkernel\\crts\\ucrt\\src\\appcrt\\tran\\i386\\ieee87.c • c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlbase.h • IsDebuggerPresent • WideCharToMultiByte • CoCreateInstance • FlushInstructionCache • VirtualAlloc • FindNextFileW • GetTimeFormatEx • GetConsoleCP • GetLastError • LeaveCriticalSection • GetProcessWindowStation • FindFirstFileExW • GetProcessHeap • VirtualProtect • EnumSystemLocalesEx • GetWindowRect • InitializeConditionVariable • InitializeCriticalSectionEx • GetWindowTextA • GetWindowTextLengthA • SetStdHandle • GetLocaleInfoW

(31)

• FreeEnvironmentStringsW • DeleteCriticalSection • RegOpenKeyTransactedA • WriteConsoleW • GetModuleHandleW • GetModuleHandleA • RegisterClassExA • GetCommandLineA • GetCommandLineW • WaitForSingleObjectEx • RegDeleteKeyA • PostThreadMessageA • CreateEventA • IsValidLocale • SleepConditionVariableCS • SetWindowTextA • GetStartupInfoW • WakeAllConditionVariable • VirtualQuery • RegDeleteKeyExA • CreateWindowExA • EnumSystemLocalesW • SetLastError • GetStringTypeW • RegOpenKeyExA • RegQueryInfoKeyA • HeapQueryInformation • GetEnvironmentStringsW • GetFileSizeEx • EnterCriticalSection • SetFilePointerEx • RegDeleteKeyTransactedA • GetModuleFileNameA • GetClassInfoExA • GetModuleFileNameW • GetActiveWindow • DispatchMessageA • InitializeCriticalSectionAndSpinCount • RaiseException • CompareStringEx • LCMapStringEx • GetDateFormatEx • GetLocaleInfoEx • GetLastActivePopup • SystemFunction036 • ReadConsoleW • GetModuleHandleExW • IsProcessorFeaturePresent • SetEnvironmentVariableW • LoadLibraryExW • LoadLibraryExA • GetUserObjectInformationW • GetClientRect • SendMessageA • WaitForSingleObject • GetStdHandle

(32)

• Module 1 other strings • RoUninitialize • hKeyParent != 0 • `vtordispex{ • _CrtSetReportFile • Assertion failed

• `managed vector constructor iterator' • create_environment • AppPolicyGetShowDeveloperDiagnostic • RoInitialize • CoRevokeClassObject • CoUninitialize • oleaut32.dll • AppPolicyGetWindowingModel • (((source))) != NULL • cached_handle == new_handle • CoResumeClassObjects • AtlThunk_AllocateData • File

• Complete Object Locator' • kernel32.dll • minkernel\\crts\\ucrt\\src\\desktopcrt\\env\\environment_initialization.cpp • hInstTypeLib != 0 • SelectObject • wlocale, len) • CoInitialize

• `managed vector destructor iterator' • _pAtlModule == 0 • minkernel\\crts\\ucrt\\src\\appcrt\\locale\\getstringtypea.cpp • LangCountryEnumProcEx • atlTraceAllocation • _VCrtDbgReportA • atlTraceCache • • atlTraceSecurity • AppPolicyGetProcessTerminationMethod • AtlThunk_FreeData • Unknown exception • atlTraceException • .?AVCATLConModule@@ • AtlThunk_InitData • advapi32.dll

• `vector constructor iterator' • atlTraceRefcount

• atlTraceISAPI • LanguageEnumProcEx

• `vector destructor iterator' • CoRegisterClassObject • StringFromGUID2 • __vectorcall • <file unknown> • atlTraceDBClient • hAdvAPI32 != 0 • Assertion failed!

(33)

• _controlfp_s

• c == '\\0' || *_p == c • _CrtCheckMemory() • cached_fp == new_fp • atlthunk.dll

• Module 2 (probably unpacked / injected by the sample)

• Module 2 rich signatures

• 44616e53000000000000000000000000656603010d000000656605019700000052680401120000005268030115000000526805012f0000006 566040114000000656601010d000000000001009c0000009b690501030000009b69ff00010000009b690201

• Module 2 strings

• Module 2 most interesting strings

• wcsncpy_s(names->szCodePage, (sizeof(*__countof_helper(names->szCodePage)) + 0), wlocale, len)

• wcsncpy_s(_psetloc_data->_cacheLocaleName, (sizeof(*__countof_helper(_psetloc_data->_cacheLocaleName)) + 0), lpLocaleString, wcslen(lpLocaleString) + 1)

• !This program cannot be run in DOS mode. • .?AVbad_exception@std@@

• __acrt_stdio_char_traits<char>::validate_stream_is_ansi_if_required • C:\\Users\\p3pp3r\\Downloads\\p3pp3rsamp.exe

• wcsncpy_s(lpOutStr->szCodePage, (sizeof(*__countof_helper(lpOutStr->szCodePage)) + 0), L"utf8", 5) • .?AVbad_alloc@std@@

• <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">

• !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~

• wcsncpy_s(_psetloc_data->_cacheLocaleName, (sizeof(*__countof_helper(_psetloc_data->_cacheLocaleName)) + 0), localeName, wcslen(localeName) + 1)

• wcsncpy_s(names->szCountry, (sizeof(*__countof_helper(names->szCountry)) + 0), wlocale, len) • <?xml version='1.0' encoding='UTF-8' standalone='yes'?>

• traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))

• <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>

• wcsncpy_s(lpOutStr->szLocaleName, (sizeof(*__countof_helper(lpOutStr->szLocaleName)) + 0), _psetloc_data->_cacheLocaleName, wcslen(_psetloc_data->_cacheLocaleName) + 1) • api-ms-win-core-synch-l1-2-0.dll • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\eh\\std_exception.cpp • .?AVbad_array_new_length@std@@ • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\eh\\std_type_info.cpp

• ((destination)) != NULL && ((size_in_elements)) > 0 • Base Class Array'

• For information on how your program can cause an assertion • LocaleNameToLCID

• `copy constructor closure'

• ("Corrupted pointer passed to _freea", 0) • (L"String is not null terminated" && 0) • `managed vector copy constructor iterator' • _CrtSetReportMode

• <requestedExecutionLevel level='asInvoker' uiAccess='false' /> • _itoa_s(nLine, szLineMessage, 4096, 10)

• CoReleaseServerProcess

• minkernel\\crts\\ucrt\\src\\appcrt\\heap\\debug_heap.cpp • ERROR : Unable to initialize critical section in CAtlModule

(34)

• atlTraceGeneral • .?AVpairNode@@ • .?AVpDNameNode@@

• `vector copy constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\misc\\dbgrptt.cpp • .?AVCAtlModule@ATL@@ • api-ms-win-appmodel-runtime-l1-1-2 • SetWindowLongA • template-parameter-• `local vftable' • .?AVCAtlException@ATL@@ • Program: %ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls%ls • .?AVtype_info@@ • minkernel\\crts\\ucrt\\src\\appcrt\\startup\\argv_parsing.cpp • QueryPerformanceCounter • AtlThunk_DataToCode • __crt_strtox::c_string_character_source<char>::validate

• wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String") • abort() has been called

• TerminateProcess

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atltrace.h • `dynamic initializer for '

• minkernel\\crts\\ucrt\\src\\appcrt\\locale\\locale_refcounting.cpp • .?AVDNameStatusNode@@

• `vector vbase copy constructor iterator' • cached_fp == invalid_function_sentinel() • InterlockedFlushSList • atlTraceString • utput::string_output_adapter<wchar_t>,class __crt_stdio_output::format_validation_base<wchar_t,class __crt_stdio_output::string_output_adapter<wchar_t> > >::type_case_integer • _set_new_mode • ext-ms-win-ntuser-dialogbox-l1-1-0 • cached_handle == INVALID_HANDLE_VALUE • atlTraceControls

• Buffer is too small

• minkernel\\crts\\ucrt\\src\\appcrt\\misc\\errno.cpp • `vector vbase constructor iterator'

• minkernel\\crts\\ucrt\\inc\\corecrt_internal_stdio.h • GetSystemTimeAsFileTime

• ERROR : Unable to initialize critical section in CAtlBaseModule • to->_What == nullptr && to->_DoFree == false

• __crt_strtox::c_string_character_source<wchar_t>::validate • common_message_window

• _p != nullptr • _VCrtDbgReportW

• `eh vector vbase copy constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\string\\stricmp.cpp • operator co_await

`generic-class-parameter-• (ptloci->lc_category[category].locale != nullptr && ptloci->lc_category[category].refcount != nullptr) || (ptloci->lc_category[category].locale == nullptr && ptloci->lc_category[category].refcount == nullptr) • `local static destructor helper'

• strcat_s(szLineMessage, 4096, "\\r") • atlTraceHosting

• .?AVcharNode@@ • .?AVDNameNode@@

(35)

• GetEnabledXStateFeatures • atlTraceDBProvider • LCMapStringW

• strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!") • `local vftable constructor closure'

• `eh vector vbase constructor iterator' • CreateEventW

• `default constructor closure'

• e = mbstowcs_s(&ret;, szOutMessage2, 4096, szOutMessage, ((size_t)-1)) • HeapValidate

• LocateXStateFeature • atlTraceRegistrar

• ("The hook function is not in the list!", 0) • `virtual displacement map'

• C:\\Users\\W7H64\\Desktop\\VCSamples-master\\VC2010Samples\\ATL\\General\\AtlCon\\bitcoin coinjoin op.pdb • AppPolicyGetThreadInitializationType

• GetProcAddress

• api-ms-win-security-systemfunctions-l1-1-0 • api-ms-win-core-localization-obsolete-l1-2-0 • common_tcscpy_s

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atltransactionmanager.h • .?AV?$CAtlExeModuleT@VCATLConModule@@@ATL@@ • (((HRESULT)(hr)) >= 0) • GetCurrentThreadId • GetConsoleMode • stream != nullptr • SetThreadStackGuarantee • GetCurrentProcess • src != nullptr • CreateThread • atlTraceWindowing

• false && "Too many categories defined" • SetConsoleCtrlHandler

• strcat_s(szLineMessage, 4096, "\\n") • 0 && "Use OBJECT_ENTRY_NON_CREATEABLE_EX • common_tcscat_s

• fMode == _CRTDBG_REPORT_MODE || (fMode & ~(_CRTDBG_MODE_FILE | _CRTDBG_MODE_DEBUG | _CRTDBG_MODE_WNDW)) == 0 • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcstartup\\src\\misc\\thread_safe_statics.cpp

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlconv.h • mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments

• d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\internal\\winapi_downlevel.cpp • strcpy_s(szOutMessage, 4096, szLineMessage)

• UnregisterClassA

• failure, see the Visual C++ documentation on asserts. • `local static thread guard'

• UnhandledExceptionFilter • IsValidLocaleName • result != nullptr

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlexcept.h • EncodePointer • api-ms-win-core-localization-l1-2-1 • __crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_validation_base<char,class __crt_stdio_output::string_output_adapter<char> > >::state_case_normal_tchar

(36)

• IsValidCodePage

• ( (_Stream.is_string_backed()) || (fn = _fileno(_Stream.public_stream()), ((_textmode_safe(fn) == __crt_lowio_text_mode::ansi) && !_tm_unicode_safe(fn))))

• __crt_strtox::c_string_character_source<wchar_t>::unget • `vector deleting destructor'

• CorExitProcess • common_configure_argv

• minkernel\\crts\\ucrt\\src\\appcrt\\string\\wcsicmp.cpp • `udt returning'

• `local static guard' • GetCurrentProcessId • __acrt_copy_locale_name

• ("lc_time_curr unexpectedly has no remaining references", 0) • .?AU_ATL_MODULE70@ATL@@

• `omni callsig' • GetXStateFeaturesMask

• Microsoft Visual C++ Runtime Library • strcat_s(szLineMessage, 4096, szUserMessage) • <program name unknown>

• wcscpy_s(locale, numberOfElements, names->szLanguage)

• .?AU?$CAtlValidateModuleConfiguration@$0A@VCATLConModule@@@ATL@@ • __acrt_get_qualified_locale

• __atl_condVal • GetTimeFormatW

• c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlcomcli.h • Type Descriptor' • `generic-method-parameter-• .?AV?$CAtlModuleT@VCATLConModule@@@ATL@@ • GetUserDefaultLCID • GetDateFormatW • FlushFileBuffers • minkernel\\crts\\ucrt\\inc\\corecrt_internal_strtox.h • AreFileApisANSI • </trustInfo>

• strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error") • </requestedPrivileges>

• CoAddRefServerProcess • new_hook != nullptr • atlTraceSync

• traits::tcscpy_s(variable.get(), required_count, source_it) • GetUserDefaultLocaleName • _itow_s(nLine, szLineMessage, 4096, 10) • SetUnhandledExceptionFilter • common_set_report_hook • TranslateMessage • MultiByteToWideChar

• `template static data member destructor helper' • c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlalloc.h • GetSystemTimePreciseAsFileTime

• abcdefghijklmnopqrstuvwxyz • _set_controlfp

• `template static data member constructor helper' •

`template-type-parameter-• `anonymous namespace' • dst != nullptr

(37)

• String is not null terminated • OutputDebugStringW • InterlockedPushEntrySList • bad allocation • GetLocaleNameFromDefault • wcsncpy_s(localeNameCopy, cch+1, localeName, cch+1) • (Press Retry to debug the application)

• mode == 0 || mode == 1

• strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error") • __crt_strtox::parse_integer

• `vbase destructor'

• `scalar deleting destructor'

• nRptType >= 0 && nRptType < _CRT_ERRCNT • `eh vector copy constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\heap\\new_mode.cpp • api-ms-win-core-winrt-l1-1-0

• atlTraceSnapin

• ERROR : Unable to initialize critical section in CAtlComModule • GetTextMetricsA • minkernel\\crts\\ucrt\\inc\\corecrt_internal_string_templates.h • api-ms-win-rtcore-ntuser-window-l1-1-0 • minkernel\\crts\\ucrt\\src\\appcrt\\stdio\\output.cpp • CallWindowProcA • cli::pin_ptr< • _get_doserrno • minkernel\\crts\\ucrt\\src\\appcrt\\misc\\dbgrpt.cpp • .?AUIAtlMemMgr@ATL@@ • minkernel\\crts\\ucrt\\devdiv\\vcruntime\\inc\\internal_shared.h • GetCurrentThread

• base == 0 || (2 <= base && base <= 36) • common_tcsncpy_s • api-ms-win-core-xstate-l2-1-0 • LCIDToLocaleName • api-ms-win-core-synch-l1-2-0 • d:\\agent\\_work\\3\\s\\src\\vctools\\crt\\vcruntime\\src\\internal\\per_thread_data.cpp • minkernel\\crts\\ucrt\\src\\appcrt\\locale\\inittime.cpp

• _controlfp_s(((void *)0), newctrl, mask & ~0x00080000) • GetSystemInfo

• ("Invalid input value", 0)

• __crt_strtox::c_string_character_source<char>::unget • api-ms-win-core-fibers-l1-1-1

• wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error") • std::nullptr_t

• .?AVpcharNode@@

• `dynamic atexit destructor for ' • CompareStringW • minkernel\\crts\\ucrt\\src\\appcrt\\tran\\contrlfp.c • `unknown ecsu' • .?AVCWin32Heap@ATL@@ • api-ms-win-core-file-l1-2-2 • DefWindowProcA • api-ms-win-core-sysinfo-l1-2-1

• _CrtDbgReport: String too long or Invalid characters in String • pbstrPath != 0 && ppTypeLib != 0

• bad array new length

• mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE • Class Hierarchy Descriptor'

(38)

• minkernel\\crts\\ucrt\\src\\appcrt\\startup\\onexit.cpp • GetWindowLongA • atlTraceTime • DecodePointer • `non-type-template-parameter • api-ms-win-core-datetime-l1-1-1 • atlTraceUtil • ext-ms-win-ntuser-windowstation-l1-1-0 • .?AUIAtlStringMgr@ATL@@ • Program: %hs%ls%ls%hs%ls%hs%ls%hs%ls%ls%hs%ls • <requestedPrivileges> • `template-parameter • `placement delete closure'

• api-ms-win-core-processthreads-l1-1-2 • .?AVCAtlStringMgr@ATL@@ • api-ms-win-core-string-l1-1-0 • generic-type-• AtlThrow: hr = 0x%x • atlTraceNotImpl • __lc_lctowcs • bad exception

• `eh vector constructor iterator'

• minkernel\\crts\\ucrt\\src\\appcrt\\internal\\winapi_thunks.cpp • InitializeSListHead

• `placement delete[] closure' • .?AVexception@std@@

• (L"Buffer is too small" && 0)

• __crt_stdio_output::output_processor<char,class __crt_stdio_output::string_output_adapter<char>,class __crt_stdio_output::format_validation_base<char,class __crt_stdio_output::string_output_adapter<char> > >::type_case_integer

• `eh vector destructor iterator' • Base Class Descriptor at ( • atlTraceStencil

• InterlockedPopEntrySList

• _CrtDbgReport: String too long or IO Error

• minkernel\\crts\\ucrt\\src\\appcrt\\tran\\i386\\ieee87.c • c:\\program files (x86)\\microsoft visual

studio\\2017\\community\\vc\\tools\\msvc\\14.16.27023\\atlmfc\\include\\atlbase.h • IsDebuggerPresent • WideCharToMultiByte • CoCreateInstance • FlushInstructionCache • VirtualAlloc • FindNextFileW • GetTimeFormatEx • GetConsoleCP • GetLastError • LeaveCriticalSection • GetProcessWindowStation • FindFirstFileExW • GetProcessHeap • VirtualProtect • EnumSystemLocalesEx • GetWindowRect • InitializeConditionVariable • InitializeCriticalSectionEx • GetWindowTextA

(39)

• GetWindowTextLengthA • SetStdHandle • GetLocaleInfoW • FreeEnvironmentStringsW • DeleteCriticalSection • RegOpenKeyTransactedA • WriteConsoleW • GetModuleHandleW • GetModuleHandleA • RegisterClassExA • GetCommandLineA • GetCommandLineW • WaitForSingleObjectEx • RegDeleteKeyA • PostThreadMessageA • CreateEventA • IsValidLocale • SleepConditionVariableCS • SetWindowTextA • GetStartupInfoW • WakeAllConditionVariable • VirtualQuery • RegDeleteKeyExA • CreateWindowExA • EnumSystemLocalesW • SetLastError • GetStringTypeW • RegOpenKeyExA • RegQueryInfoKeyA • HeapQueryInformation • GetEnvironmentStringsW • GetFileSizeEx • EnterCriticalSection • SetFilePointerEx • RegDeleteKeyTransactedA • GetModuleFileNameA • GetClassInfoExA • GetModuleFileNameW • GetActiveWindow • DispatchMessageA • InitializeCriticalSectionAndSpinCount • RaiseException • CompareStringEx • LCMapStringEx • GetDateFormatEx • GetLocaleInfoEx • GetLastActivePopup • SystemFunction036 • ReadConsoleW • GetModuleHandleExW • IsProcessorFeaturePresent • SetEnvironmentVariableW • LoadLibraryExW • LoadLibraryExA • GetUserObjectInformationW • GetClientRect • SendMessageA

(40)

• WaitForSingleObject • GetStdHandle

• Module 2 other strings

• RoUninitialize • hKeyParent != 0 • `vtordispex{ • _CrtSetReportFile • Assertion failed

• `managed vector constructor iterator' • create_environment • @atlTraceISAPI • AppPolicyGetShowDeveloperDiagnostic • RoInitialize • CoRevokeClassObject • CoUninitialize • oleaut32.dll • AppPolicyGetWindowingModel • (((source))) != NULL • cached_handle == new_handle • CoResumeClassObjects • AtlThunk_AllocateData • File

• Complete Object Locator' • kernel32.dll • minkernel\\crts\\ucrt\\src\\desktopcrt\\env\\environment_initialization.cpp • hInstTypeLib != 0 • SelectObject • wlocale, len) • CoInitialize

• `managed vector destructor iterator' • _pAtlModule == 0 • minkernel\\crts\\ucrt\\src\\appcrt\\locale\\getstringtypea.cpp • LangCountryEnumProcEx • atlTraceAllocation • _VCrtDbgReportA • atlTraceCache • • atlTraceSecurity • AppPolicyGetProcessTerminationMethod • AtlThunk_FreeData • Unknown exception • atlTraceException • .?AVCATLConModule@@ • AtlThunk_InitData • advapi32.dll

• `vector constructor iterator' • atlTraceRefcount

• atlTraceISAPI • LanguageEnumProcEx

• `vector destructor iterator' • CoRegisterClassObject • StringFromGUID2 • __vectorcall • <file unknown>

(41)

• atlTraceDBClient • hAdvAPI32 != 0 • Assertion failed! • _controlfp_s • c == '\\0' || *_p == c • _CrtCheckMemory() • cached_fp == new_fp • atlthunk.dll

(42)

Extra Information Recovered

(43)

Configs Recovered

References

Related documents

 Eric Carpio, Assistant Vice President, Adams State College  Jonathan Macias, Program Coordinator, University of.

Asset Management Location Management Work Management Vendor &amp; Contract Management Leases, Partnerships, Warranties &amp; Insurance Management Deficiency Management Project

This document by CTU Bern is licensed under a Creative Commons Attribution 4.0 International License..

This number of mapped loci is not directly comparable to previous maps (Liu et al. 2013) in which redundant markers were not removed, but rather formed clusters of loci mapping at

Đối lập với quan điểm chung về hoạt động kinh doanh là ý thức hệ kinh doanh truyền thống như chúng ta đã đề cập đến trước đó: tách kinh doanh ra khỏi khía

4 www.mosaicprojects.com.au This work is licensed under a Creative Commons Attribution 3.0 Unported License.. For more White Papers

The point of departure of a more complex discussion on informality and law is precisely a simple account of the contradictions on which that relationship is

FL MAIN 2.. next page). FL