Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-11 11:15:33 | 2025-06-11 11:32:58 | 1045 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:15,178 [root] INFO: Date set to: 20250611T07:33:12, timeout set to: 1000 2025-06-11 08:33:12,322 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8 2025-06-11 08:33:12,322 [root] DEBUG: Storing results at: C:\uyHCokWh 2025-06-11 08:33:12,322 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC 2025-06-11 08:33:12,322 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-11 08:33:12,322 [root] INFO: analysis running as an admin 2025-06-11 08:33:12,322 [root] INFO: analysis package specified: "exe" 2025-06-11 08:33:12,322 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-11 08:33:13,119 [root] DEBUG: imported analysis package "exe" 2025-06-11 08:33:13,119 [root] DEBUG: initializing analysis package "exe"... 2025-06-11 08:33:13,119 [lib.common.common] INFO: wrapping 2025-06-11 08:33:13,119 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-11 08:33:13,119 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\pwcreator.exe 2025-06-11 08:33:13,119 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-11 08:33:13,119 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-11 08:33:13,119 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-11 08:33:13,119 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-11 08:33:13,322 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-11 08:33:13,338 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-11 08:33:13,447 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-11 08:33:13,447 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-11 08:33:13,463 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-11 08:33:13,463 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-11 08:33:13,463 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-11 08:33:13,478 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-11 08:33:13,478 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-11 08:33:13,478 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-11 08:33:13,478 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-11 08:33:13,478 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-11 08:33:13,478 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-11 08:33:13,478 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-11 08:33:13,478 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-11 08:33:13,478 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-11 08:33:13,478 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-11 08:33:13,478 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-11 08:33:13,666 [modules.auxiliary.digisig] DEBUG: File is not signed 2025-06-11 08:33:13,666 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-11 08:33:13,666 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-11 08:33:13,666 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-11 08:33:13,666 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-11 08:33:13,666 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-11 08:33:13,666 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-11 08:33:13,666 [modules.auxiliary.disguise] INFO: Disguising GUID to 9b7cdcea-e4d9-4c24-8a0c-bc615bd315ed 2025-06-11 08:33:13,666 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-11 08:33:13,666 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-11 08:33:13,666 [root] DEBUG: attempting to configure 'Human' from data 2025-06-11 08:33:13,666 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-11 08:33:13,666 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-11 08:33:13,666 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-11 08:33:13,666 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-11 08:33:13,666 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-11 08:33:13,666 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-11 08:33:13,666 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-11 08:33:13,666 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-11 08:33:13,666 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-11 08:33:13,666 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-11 08:33:13,666 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-11 08:33:13,666 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-11 08:33:13,666 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-11 08:33:13,666 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-11 08:33:13,681 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini 2025-06-11 08:33:13,681 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-11 08:33:13,681 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-11 08:33:13,681 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-11 08:33:13,681 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-11 08:33:13,681 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-11 08:33:13,681 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-11 08:33:13,697 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\pQxbIz.dll, loader C:\tmp_gell1p8\bin\EPCPTrhb.exe 2025-06-11 08:33:13,791 [root] DEBUG: Loader: IAT patching disabled. 2025-06-11 08:33:13,791 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\pQxbIz.dll. 2025-06-11 08:33:13,822 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-11 08:33:13,822 [root] INFO: Disabling sleep skipping. 2025-06-11 08:33:13,822 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-11 08:33:13,822 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-11 08:33:13,822 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-11 08:33:13,822 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-11 08:33:13,838 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-11 08:33:13,838 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-11 08:33:13,853 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-11 08:33:13,853 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-11 08:33:13,853 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 4404, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000 2025-06-11 08:33:13,853 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-11 08:33:13,885 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-11 08:33:13,885 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-11 08:33:13,885 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\pQxbIz.dll. 2025-06-11 08:33:13,885 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-11 08:33:13,885 [root] DE <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-11 11:15:33 | 2025-06-11 11:32:38 | none |
File Details
| File Name |
pwcreator.exe
|
|---|---|
| File Type | PE32+ executable (GUI) x86-64, for MS Windows |
| File Size | 817152 bytes |
| MD5 | bc356f8abd5764af6b977974d88041ff |
| SHA1 | b225ddd12003ae0718e18bfc8219f54eb79ba5d7 |
| SHA256 | d1e1296f3107f9a1b7feca788ca64041dd4d2a3fd4627f0b38bcce122df42f42 [VT] [MWDB] [Bazaar] |
| SHA3-384 | 9e75c2a5f6edd9cd4c1784505048a06371b3bbd273c6062986a67c05dfbaec404f49ae81e86b93890952de7060833433 |
| CRC32 | A67DA0DB |
| TLSH | T17505181CA7ACC294D06E8534885287F5EA72BC281BA246CB5360F33E5F379D85E36F15 |
| Ssdeep | 12288:/JWRlj4Eob7HRwRTwuMo3FfXse7xH6gJcrGnTbiRW:YRlj4Eo6RTwu3FFtJcrsbuW |
| PE | File Strings BinGraph Vba2Graph VirusTotal |
onj[XUUUUUUU
@.data
fA9tM
//IMAGE[@INDEX='%u']/WINDOWS/LANGUAGES/DEFAULT
en-SG
SVWATAVAWH
H!}HL
uUDDI`w
SetThreadpoolThreadMaximum
.?AVCSqmStream@utils@@
SetThreadExecutionState
</trustInfo>
de-DE
.?AVCEtwLogger@utils@@
\$XH;\$`
drivers\wdm\usbpw\creator\lib\utils\cwindowsimage.cpp
GetStartupInfoW
APPID
PA^_^][
.?AV?$_Ref_count@VCSqmData@ux@@@tr1@std@@
en-TT
Failed to get a handle to the memtest object. Status = [%x]
System BCD store does not exist, creating.
.?AV?$enable_shared_from_this@VCWizard@ux@@@tr1@std@@
.?AV?$CWindowImplBaseT@VCAeroWizardFrameWindow@WTL@@V?$CWinTraits@$0FGAAAAAA@$0A@@ATL@@@ATL@@
SSSjMMMUZZZ<```
ne-NP
zh-HK
ZYZIeee
;;;;;;:65452
'OVQB
u*9Q<|%
bs-Latn
q)1M1Or
|SYSPART|\|BOOTMGR|
uiN{s
SeDebugPrivilege
$$$$$$
ta-LK
sma-NO
af-ZA
|SYSPART|\|EFIDEFAULT|\|DEFAULTAPP|
BcdDeleteElement
K+jV~mjjJ
mn-MN
WIMSetTemporaryPath
0A_A\^[]
(drivers\wdm\usbpw\creator\lib\utils\cthreadexecutionstate.cpp
__RTDynamicCast
DEFAULTAPP
ff-Latn
RegSetValueExW
//IMAGE[@INDEX='%u']/WINDOWS/SERVICINGDATA/PKEYCONFIGVERSION
CopyFileExW
mn-Mong
RDVConfigureBDE
GetSecurityDescriptorControl
f3.c53.c53.c5VH`40.c5VHg4*.c5VHf4:.c5VHb4
zu]H9
CLSIDFromString
Malgun Gothic
SYSROOT
ku-Arab-IQ
~~FFz~
\\\\\\\\\\\\\\\\\\\
VWAVH
?MSdY
X_^[]
CM_Request_Device_EjectW
~zF[z
L$xH3
WIMLoadImage
9\$`~e
sl-SI
tq9t$`t
Microsoft Corporation
\\.\PhysicalDrive%d
9u(~S3
LoadLibraryExW
.?AVCWizard@ux@@
ZUaL#
OutputDebugStringA
_XcptFilter
D9t$|t
SetupDiGetDeviceInterfaceDetailW
.?AV?$_Ref_count@VCProvisionWorkItem@bl@@@tr1@std@@
fE9t}
.?AVCFindWindowsImagesWorkItem@bl@@
Removing duplicate object %wZ
X\?E/5
_lock
DeviceName
AtlThunk_DataToCode
`A^_^][
ta-IN
USVWATAUAVAWH
NumericalPassword
BfspPrintFileOwnerProcess: NtQueryInformationFilefailed! Status = %#x
\EFI\Microsoft\Recovery\BCD
@SUVWAVH
UnmapViewOfFile
nldKHX
t$@H;
fD9<ru
}-(Nfhf\QHB%v
SECURITY
drivers\wdm\usbpw\creator\lib\utils\cprocess.cpp
language="*"
#OR$I
Microsoft-Windows-PortableWorkspaces-Creator-Tool
AppID
VolumePathName for %ws is %ws
_initterm
tt-RU
.?AVlogic_error@std@@
fD9,Bu
kr-NG
EnableBitLocker
.idata$5
BfspPrintFileOwnerProcess: Failed to open file!Last Error = %#x
LoadLibraryW
enterpriseneval
BcdOpenStoreFromFile
,cvvV
Failed to GetVolumePathName for %ws (%u).
sms-FI
Copying resource files from %s to %s...
S~=5p
DevObjCreateDeviceInfoList
es-AR
WIMRegisterMessageCallback
.pdata
NtQuerySystemInformation
wcschr
de-AT
Memory Tester application not found. Skipping add.
zD?=RROKGX
Microsoft
fil-PH
}FF<44
_acmdln
$7Bz
bootia32.efi
ED75322
drivers\wdm\usbpw\creator\lib\ux\ccompletedpage.cpp
gn-PY
ar-TN
@UVWAVAWH
DevicePageToInstallSourcePage
Microsoft JhengHei UI
.?AVCAtlException@ATL@@
A^A\_
Ep!uxH
Idrivers\wdm\usbpw\creator\lib\utils\cthreadpool.cpp
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
zu-ZA
sd-Arab-PK
.data$r$brc
A^A]_^]
en-029
DeleteFileEx: hardlink given to us is: %s
ba_JH
`InIna
Failed to query OS loader identifier. Status = [%x]
syr-SY
8A_A^A]A\_^][
//IMAGE[@INDEX='%u']/DISPLAYNAME
sk-SK
GetMessageW
ServiceSpaces: Skipping non-Windows %s
dsA'UG
fD94Bu
ew0hp
SetEvent
>)VX;
.?AVCCompletedPage@ux@@
_exit
ky-KG
H_^][
fD9,Zu
m]#0D
Ch!Cl!Cp
ZD?D{{
0A^_^
MoveFileExW
bs-Cyrl
drivers\wdm\usbpw\creator\lib\utils\cphysicaldisk.cpp
memtest.efi
Failed to set element application path. Status = [%x]
pwcreator.pdb
mshelp://windows/?id=00000000-0000-0000-0000-000000000000
Failed to flush system partition. Error = [%x]
da-DK
bs-BA-Latn
f4Og|
.?AUIVdsAdviseSink@@
Error creating %s path! Last Error = %#x
\boot\
.?AV?$CTaskDialogImpl@VCSingleInstanceErrorTaskDialog@ux@@@WTL@@
HKEY_PERFORMANCE_DATA
s^zxs
.?AVCRegistryPolicyFile@utils@@
Creating Recovery directory.
.\%s.mui
.?AVCTraceLogger@utils@@
ActivityStoppedAutomatically
.?AVCAeroWizardPageWindow@WTL@@
pa-Arab
48Bz
WinSqmAddToStreamEx
.?AU_ATL_MODULE70@ATL@@
No process found using %s file.
CoCreateInstance
drivers\wdm\usbpw\creator\lib\utils\ccominitializer.cpp
Failed to create recovery store. Status = [%x]
WWW UUTpeee
G;=HN
.?AVCProvisionFailedTaskDialog@ux@@
DestroyPropertySheetPage
.?AVCAtlModule@ATL@@
sr-Latn-ME
}|se_
GetFileAttributesW
|SOURCE|\|RESOURCES|\BOOTRES.DLL
ne-IN
H!D$8H
!L$0H
Yu Gothic UI Semibold
.>@mm
.rdata$r
f9,Ku
SetupDiGetClassDevsExW
`A^_^
Failed to get handle to the system store. Status = [%x]
"Provisioning started"
]PW")
.CRT$XIA
COutOfBoundsException()
ServicingBootFiles failed. Error = %#x
RtlNtStatusToDosError
}R xQS
|$(E3
DispatchMessageW
.?AV?$CPropertyPageImpl@VCImageSelectionPage@ux@@VCAeroWizardPageWindow@WTL@@@WTL@@
.?AV?$CAsyncResult@V?$vector@V?$shared_ptr@VIPhysicalDisk@utils@@@tr1@std@@V?$allocator@V?$shared_ptr@VIPhysicalDisk@utils@@@tr1@std@@@3@@std@@@utils@@
fA9,Au
nlVKZ
Microsoft JhengHei UI Bold
hFA]R
gPCMachineExtensionNames=[%s]
DestroyIcon
es-PA
sa-IN
x UAVAWH
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
RtlImageNtHeader
FileDescription
SetFileAttributes(%s) failed! Last Error = %#x.
\$ UVWH
bootmgr.exe
Expected provided path "%ws" to start with %ws
zDD>85*#2
Failed to set default bootmgr object. Status = [%x]
ul%G1
dz-BT
\$ VWAVH
~zFF<44$
WindowsImageFriendlyName
UWATAVAWH
wLC`v
bgOne
UUUTUTUTTTTTTTTTTTU
HcEpHk
Cleaning up debugger settings.
ntdll.dll
Failed to set {bootmgr} locale. Status = [%x]
BcdGetElementData
.?AVIProgressContext@bl@@
~zFB<44
AR^q^^@
10.0.17763.1
DeviceIoControl
zh-CHT
vswprintf_s
InitializeCriticalSection
GetSecurityDescriptorOwner failed! Error code = %#x
A_A^A\_^
drivers\wdm\usbpw\creator\lib\ux\cprovisionpage.cpp
x64885_zh
HKEY_DYN_DATA
SetWindowLongPtrW
L$hE3
bootx64.efi
SetWindowLongW
AdjustTokenPrivileges
sr-SP-Cyrl
GetFileVersionInfoSizeW
A_A\_
.?AV?$enable_shared_from_this@VITask@bl@@@tr1@std@@
IsEnterprise
GetNativeSystemInfo
?;19y
%ws.{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
bccn}}}
D$8H9
D$(E3
fD9<Hu
client
CLSID
.?AVCExternalMediaFilter@bl@@
Registry.pol
fA9<Hu
BfspPrintFileOwnerProcess: NtQueryInformationProcessfailed! Status = %#x
xh-ZA
it-CH
<security>
ConvertSidToStringSidW
.?AVCVirtualDiskService@utils@@
D9d$hu(D9U
BitLockerPassword
ar-DZ
drivers\wdm\usbpw\creator\lib\ux\cbitlockerpage.cpp
wqb_]\\\\\\\\\\\\\\\\\\\\
UWATH
bbc*lllj
es-HN
xwqb_
C0D9x4
en-GB
ml-IN
fi-FI
memmove_s
processorArchitecture="amd64"
.rdata$zETW9
.?AV?$_Ref_count@VCFindWindowsImagesWorkItem@bl@@@tr1@std@@
DeleteFileEx: Unable to delete [%s]; GLE = 0x%x
drivers\wdm\usbpw\creator\lib\utils\cusbdisktraits.cpp
enterprisesneval
UVWAVAWH
L$0E3
D$HH9
.?AV?$_Ref_count@VCGetDisksWorkItem@bl@@@tr1@std@@
WINBRAND.dll
|SYSPART|\|DEST|\BCD.LOG
ka-GE
ts-ZA
A_A^A\_]
drivers\wdm\usbpw\creator\lib\bl\cprovisionprovider.cpp
Failed to service spaces bootmgr. Last Error = %#x
Error deleting boottgt(%s)! Last Error = %#x
drivers\wdm\usbpw\creator\lib\utils\cxmldocument.cpp
L9]0u^
.?AV?$CAeroWizardPageImpl@VCBitLockerPage@ux@@VCAeroWizardPageWindow@WTL@@@WTL@@
Error copying %s to %s. Last Error = %#x
vsprintf_s
TerminateProcess
.?AVCImageSelectionPage@ux@@
Failed to get element application path. Status = [%x]
Using source OS version %I64x
f9,Au
F85B~
drivers\wdm\usbpw\creator\lib\utils\chelppane.cpp
en-BZ
+|$lA3
X][S=
GetEnvironmentVariableW
u'H9n
SetupDiDestroyDeviceInfoList
JIIHRz
SecureStartupFeature-Enabled-Premium
ar-AE
C0D9x4u{
bootarm.efi
tg-Cyrl-TJ
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
v^@R_v~~~
fr-MA
D$@?
H SUVWH
E;AH}
Resource files missing from %s. These files are required for some editions of Windows. If you are servicing older versions of Windows, you can ignore this message.
quc-Latn-GT
YYY%WWWwjjj
ko-KR
NtSetInformationThread
oiAk[
.text$x
wo-SN
fE94xu
CreateMutexW
Client
T$ E3
?MVPPPKDJW
.\%s\%s.mui
drivers\wdm\usbpw\creator\lib\ux\cshutdownblockreason.cpp
}y3#$5"8z
}zFBB44$
SetFileAttributesW
Setting {default} to %wZ
SetDlgItemTextW
Removing duplicate entries.
T\M:5
wcstoul
Opening recovery store from %ws
.xdata$x
L$HH3
WATAWH
%s\%s\%s.mui
ar-YE
A^_^
DevObjOpenDeviceInfo
USAVH
GetModuleHandleW
drivers\wdm\usbpw\creator\lib\ux\csingleinstanceerrortaskdialog.cpp
~[DD84
>drivers\wdm\usbpw\creator\lib\utils\cdeviceinfoset.cpp
Windows\System32\Config\SOFTWARE
uo9|$`tv
Segoe UI
drivers\wdm\usbpw\creator\lib\utils\cregistrypolicyfile.cpp
yR;5#"2 5
Error deleting boot manager(%s)! Last Error = %#x
sd-Arab
L$ E3
D$((Y-
.giats
LLL\SSSJ```+WWW
fr-SN
bs-Latn-BA
DevObjGetClassDevs
.?AV?$CAeroWizardPageImpl@VCCompletedPage@ux@@VCAeroWizardPageWindow@WTL@@@WTL@@
Failed to query object data. Status = [%x]
!D$TI
ru-RU
DeleteFileEx: Unable to allocate memory for the full path name; GLE = 0x%x
ig-NG
UUUUUUUUUUUUUUUUUUU
mTT0L
0A_A^_
!G?@Bp
pa-IN
OriginalFilename
t$HH;
win:Start
.?AVCCopyImageTask@bl@@
58F~
D9A0~EHcy03
Windows\System32\GroupPolicy
IT$Df
FFFFFFFFFFFG
Version=%d
UUUUUUUUTUTUTTTTTTU
en-us
en-JM
SetNamedSecurityInfo failed! Error code = %#x
drivers\wdm\usbpw\creator\lib\utils\csqmsession.cpp
u#H9o
BcdCloseStore
ImageSizeMb
Failed to open handle to resume object. Status = [%x]
pt-PT
V%&'qoml
fE9<\u
vkp$w
Failed to copy NTLDR object data. Status = [%x]
{>DDZZFX8~
FVEAPI.dll
es-DO
nldOHX
chr-Cher
ou1z[
az-Cyrl
|$8H;
fD94Au
SetupDiOpenDevRegKey
.?AV?$_Ref_count@VCEnableBitLockerTask@bl@@@tr1@std@@
\EFI\Microsoft\Boot\BCD
BcdEnumerateObjects
GetFullPathNameW
Microsoft\Windows\CurrentVersion\Setup\OOBE
dZA0P
DMm@U
EventProviderEnabled
EnableWindow
\$(H+
u=DaT
FirmwareHelpTopic
,,.`}}
es-ES_tradnl
PropertySheetW
UVWATAUAVAWH
{D02B1F72-3407-48AE-BA88-E8213C6761F1}
CreatePropertySheetPageW
Failed to enumerate BCD objects. Status = [%x]
zh-Hant
CloseHandle
L$8E3
Provision
D9G0~CHc_0I
@.reloc
QueryDosDeviceW
@SUWH
bsshmi
99:'nnn`wwu
L;f wyH
fwprintf
}[D<<5$
tzm-Latn-DZ
sss8t
uh4j
Failed to get partition name. Status = %#x
LoadResource
_purecall
.?AV?$_Ref_count@VCWizard@ux@@@tr1@std@@
Failed to adjust token priveleges! Error code = %#x
la-001
GetSystemTimeAsFileTime
.?AVCLauncherFailedTaskDialog@ux@@
A__^[]
IsIconic
SeShutdownPrivilege
ControlTraceW
AtlThunk_InitData
ar-LB
H!\$(H
Failed to open a handle to the bootmgr object. Status = [%x]
yo-NG
.?AV?$_Ref_count@V?$CAsyncResult@V?$vector@V?$shared_ptr@VIPhysicalDisk@utils@@@tr1@std@@V?$allocator@V?$shared_ptr@VIPhysicalDisk@utils@@@tr1@std@@@3@@std@@@utils@@@tr1@std@@
.?AVIWorkItem@utils@@
xv#?H
A^A\]H
iu-Cans-CA
WIMRegisterLogFile
npp-mnm
gfffffffH+
??0exception@@QEAA@AEBQEBDH@Z
Encrypt
.?AV?$_Ref_count@VCUsbDiskTraits@utils@@@tr1@std@@
CharNextW
dc`JI
Leelawadee UI Bold
f9<Hu
SetUnhandledExceptionFilter
WZ8{~
wcscmp
|SOURCE|\|RESOURCES|
</asmv3:application>
pap-029
L$pH+
Z-lnv
iZU`_KHH<Kis
UUUUUTUTTTTTTU
Failed to create a new recovery store. Status = [%x]
nlVOOIO{
D$ E3
RtlFreeHeap
.text
RegLoadKeyW
fD9,Gu
|SYSPART|\EFI\Microsoft\Recovery
tFfA;
8SMXccW:
CTimeoutException()
FAT32
QQQMPPPvaaa
.rdata$brc
D;l$X
BcdQueryObject
ShutdownBlockReasonCreate
Error setting attributes on %s. Last Error = %#x
H!t$ H
pt-BR
fo-FO
WIMUnregisterMessageCallback
L$`E3
\$HIc
bo-CN
.?AV?$CWindowImplRoot@VCAeroWizardFrameWindow@WTL@@@ATL@@
A8Q)u
id-ID
LsaQueryInformationPolicy
D9d$p
t$8I;
fF9<Su
LocalAlloc
.?AV?$enable_shared_from_this@VCAsyncResultNoResult@utils@@@tr1@std@@
E H9K@t3H
.idata$4
Failed to service spaces default bootmgr
yi-001
.?AVITaskProgressContext@bl@@
.?AVCUsbDiskTraits@utils@@
^^^;pop
fD9,pu
CM_Get_Parent
|r@y}
mk-MK
.?AVCWindowsImageContainerObserver@utils@@
SeTakeOwnershipPrivilege
GetTokenInformation
Microsoft YaHei UI Bold
gggGzzz
se-FI
`A_A^A]A\_^[
Component Categories
sr-Latn-RS
__dllonexit
B/P^?
}uqA;5
RegEnumKeyExW
StrFormatByteSizeW
.?AVCDeviceInfoSet@utils@@
Z6559??X
.?AVbad_cast@@
g(/gEOK:7
-66R!
RESOURCES
COMCTL32.dll
Failed to create create {bootmgr} object. Status = [%x]
Error copying font files from %s to %s.Last Error = %#x
~zFF<44$
DevObjEnumDeviceInterfaces
6$55"
L9]0uO
Error uncompressing boot status data log(%s)! Last Error = %#x
\\\\\\\\\\\\\\\\\\\\\\\\\
.?AVLocalMemory@CWindowsImageMetadata@utils@@
__C_specific_handler
@USVWAVAWH
bootaa64.efi
.?AV?$_Ref_count@VCProvisionProvider@bl@@@tr1@std@@
TraceMessage
FveCloseHandle
}uq;6$
z,W7e
|SYSPART|\
0A_A^A]A\_^]
.?AVCModule@utils@@
oLW\f
YYYAhhh
Failed to copy memtest object. Status = [%x]
en-IE
%s\%s
CoGetObject
co-FR
CreateEventW
WindowsImageValidation
|$ AVH
LoadLibraryExA
A8Q)t
bad allocation
.?AUIFileDialogEvents@@
QueryTraceW
H!\$0
D$HfD
\m=&j^_G
.text$mn$00
t$ WH
aaanWWWCiii)
OOO/ZZZzddd
GW8<n
SetLastError
.?AVCDevicePage@ux@@
fA9,Su
.rsrc$01
%ws\Windows\boot
Microsoft JhengHei UI Light
H!t$(D
sNHcK<
GetFileAttributes(%s) failed: File not found.
(Nff]\HC*%y
USVWAWH
ar-OM
Failed to get a handle to the system store. Status = [%x]
BfsInitializeBcdStore flags(0x%08x) RetainElementData:%c DelExistinObject:%c
UseAdvancedStartup
.?AVCAeroWizardFrameWindow@WTL@@
l$4D8-
Failed to QueryDosDevice for %ws (%u).
(('''''
A_A^A]A\_^[]
RegDeleteValueW
E8!u@H!uHH
moh-CA
D$pE3
fF9,xu
WWW5`aa
.?AVCPropertySheetWindow@WTL@@
UUTTTTTTTTTTTU
$8F~
_vscprintf
.?AVCInterlockedInt@utils@@
en-ZW
sr-Latn-CS
fD9$_u
A_A^A]
CAtlException()
@8p)u
C09h4
az-Latn-AZ
*.wim
drivers\wdm\usbpw\creator\lib\ux\cimageselectionpage.cpp
enterpriseseval
$5Bz~$
CoTaskMemRealloc
VirtualAlloc
E\fA;
.?AVCProvisionData@bl@@
zyyy|vv
GetSecurityDescriptorDacl
Failed to set element system root. Status = [%x]
|SOURCE|\Misc\|FWTYPE|\bootspaces.dll
GetTraceEnableLevel
DevObjDestroyDeviceInfoList
my-MM
2222222
chr-Cher-US
_CxxThrowException
[[[Wssr
|DEST|\|BOOTMGR|
xwqb_]\\\\\\
$(SQO
D8l$4uxH
LeaveCriticalSection
L$ USVWAVH
drivers\wdm\usbpw\creator\lib\ux\cblackboardadapter.cpp
Disabled
DeviceSize
),--!
en-ZA
Fonts
3ad'jq
sr-SP-Latn
L$ SVWH
GetTraceLoggerHandle
am-ET
Microsoft Corporation. All rights reserved.
FFFFFFFFF
,g`9C?
sq-AL
.?AVexception@@
.?AVCEnableBitLockerTask@bl@@
L$PH3
(B@}P
gsw-FR
$))//6
|Bh'5
TCO-,
?{uSH
.?AVCServiceBootTask@bl@@
Creating MemTest object.
eu-ES
.?AVCCastFailedException@utils@@
@A^_^][
|SYSPART|\|DEST|\|BOOTMGR|
.text$yd
IsWindowVisible
BcdCreateStore
enterpriseeval
pA^_]
GetWindowLongPtrW
drivers\wdm\usbpw\launcher\dll\csetlauncherworkitem.cpp
CreateDirectoryW
YWUUUUUUUUTUTU
fr-HT
MediaType
WATAVH
O:%sG:%sD:P(A;CI;GA;;;%s)(A;;0x1201bf;;;SY)(A;IOCIOI;GA;;;SY)(A;;0x1201bf;;;BA)(A;IOCIOI;GA;;;BA)(A;CIOI;GRGX;;;BU)(A;OICIIO;GA;;;CO)
comctl32.dll
ar-SA
PA_A^_^]
LcA<E3
.?AV?$CPropertyPageImpl@VCCompletedPage@ux@@VCAeroWizardPageWindow@WTL@@@WTL@@
DevicePageNavigatePerfEventStarted
SXgUaH
7oD,6
Wadvapi32.dll
fr-BE
t$ 8P)H
//IMAGE[@INDEX='%u']/WINDOWS/ARCH
.-+#
D$dE3
enterprisen
%-10ws%ws
vvv}~~
H WATAUAVAWH
qx)2II %
@.rsrc
.?AVCProvisionProvider@bl@@
WindowsBootCapable
ProvisionHResult
AcquireSRWLockExclusive
~zFDB8$$
drivers\wdm\usbpw\creator\lib\ux\clauncherincompatibletaskdialog.cpp
BCD: %ws
byjA`
/c5VHj4
processorArchitecture="amd64" />
TTBL<
.?AV?$CAeroWizardFrameImpl@VCWizard@ux@@VCAeroWizardFrameWindow@WTL@@@WTL@@
|SYSPART|\|DEST|\|FONTS|
nhOIf
Not Checked
RegUnLoadKeyW
LegalCopyright
K0D9y4t
nl-BE
CallWindowProcW
SendMessageTimeoutW
ATL$__a
fr-MC
.?AVCBlackboardAdapter@ux@@
Enabled
XXX^lll
~zFFz
sHZ6@
%s%s%s%s
Malgun Gothic Semilight
,B>DY
1drivers\wdm\usbpw\creator\lib\ux\cexitwarningtaskdialog.cpp
$7Bz~
arn-CL
,8\v/
version.dll
NG.//
type="win32"
.?AVCSqmSession@utils@@
Ly^X`
is-IS
(*s|?TK:
EncryptionFlags
@A_A^A]A\_^]
dsb-DE
L$0H3
FveCheckPassphrasePolicy
}uA>6$
sw-KE
FlushInstructionCache
RDVDisableBDE
\$hH;
HeapDestroy
fD9<Bu
ProtectKeyWithPassPhrase
Failed to get handle to BCD object. Status = [%x]
.rdata$zzzdbg
WAxK0i
BcdMarkAsSystemStore
WARNING
WAVAWH
UUUjNNNObbb:ttt
fr-LU
AtlThunk_FreeData
.rdata
realloc
??1type_info@@UEAA@XZ
??0exception@@QEAA@XZ
RegDeleteKeyW
SetThreadpoolThreadMinimum
.?AVCAbstractWizardPage@ux@@
ur-PK
dde&`a`xxxw
Error deleting stale spaces dll (%s)! Last Error = %#x
A_A^_^[]
Servicing spaces files
|$0H;
t$xE3
ar-SY
Da6N^
.?AVCDiskExtents@CPhysicalDisk@utils@@
Failed to copy objects of type %08x data. Status = [%x]
%UM;%
x^RKC%x
ti-ER
wcsstr
ba-RU
L$ WH
D$$I;
h_^[]
fF9<Bu
fE94ou
BfspCopyFile(%s, %s) failed! (Attempt %d of %d) Last Error = %#x
x AWH
fA9<@u
xv#rql
0A^A\_^]
.?AV?$_Ref_count@VCDiskLayoutTask@bl@@@tr1@std@@
WWTV^d\G
enterprisesn
WaitForSingleObject
pwcreator
RtlInitUnicodeString
G|$L3
z>60,?~
}[DB<54
en-ID
lstrlenW
P[|8c
CAtlException( HRESULT_FROM_WIN32( WAIT_FAILED ) )
OpenProcessToken
jP::X
@A_A^]
GetModuleFileNameA
PA_A^A\_^[]
<autoElevate>true</autoElevate>
BfspSetSecurityDescriptor(%s) failed! Last Error = %#x
StartTraceW
.?AV?$CTaskDialogImpl@VCLauncherIncompatibleTaskDialog@ux@@@WTL@@
Failed to get element device type. Status = [%x]
SVWATAUAVAWH
0A_A^A\
FindResourceExW
SetupDiCreateDeviceInfoList
NtReadFile
t$8E3
$<F~
D9AH~EHcyH3
fr-FR
Z6{(d
SHGetKnownFolderPath
#$<E$
drivers\wdm\usbpw\creator\exe\cportableworkspacecreatorlogger.cpp
SetNamedSecurityInfoW
memcpy
SetForegroundWindow
.idata$3
XA_A^A]A\_^[]
H!\$0H
DevObjGetDeviceProperty
ucZciiXMUUXt
f{oV!;
pRDVAllowBDE
.?AV?$CPropertyPageImpl@VCProvisionPage@ux@@VCAeroWizardPageWindow@WTL@@@WTL@@
S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
mn-Mong-MN
mshelp://windows/?id=b11a15a9-2066-4086-803f-d1961a43d565
Failed to set element description. Status = [%x]
WdsCopyFileEx: Failed to strip file attributes for %s, will delete. GLE = 0x%x
ISPCAT
ew|>&=4_
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
fflush
az-Cyrl-AZ
f94Ju
CreateFileMapping(%s) failed! Error code = %#x
.?AVCShellFileOpenDialog@WTL@@
Failed to remove duplicate object from bootmgr display order. Status = [%x]
L$ fD
.?AV?$CAsyncResult@_N@utils@@
F=B?I
:%u!H
1oZ)0P
SearchPathW
;;< ooof
SetupDiGetDevicePropertyW
DevicePath
(_^][
__setusermatherr
UATAUAVAWH
Printing processes using %s file.
,+S!]
HeapFree
es-CR
.?AVCIcon@ux@@
Malgun Gothic Bold
ff-Latn-SN
SeRestorePrivilege
assertVersion
GetTickCount
Microsoft YaHei UI Light
UUTTTTTTTTTTTTTTTTU
onnO~}~
L$@E3
\$<E9
&cPJ)
onj[XUTUTTTTTTTTTTT
;200*)%%#
.CRT$XIY
GetVolumeInformationW
J0r)+
L$@H3
PostMessageW
Provisioning started
E;A0}
~zuskk}
/>
D$XH;
;0.*%#
WEVT_TEMPLATE
$5B[~
.?AVCBitLockerPage@ux@@
uIDAT
iu-Latn
@|Xdrivers\wdm\usbpw\creator\lib\bl\cprovisiondata.cpp
#Or$i
K3+,l
UWAVH
MultiByteToWideChar
`A_A^A]_^[]
zh-MO
es-CL
A_A^A\
GetSecurityDescriptorSacl
/fD;e
FveIsPassphraseCompatibleW
|SYSPART|\|DEST|\|RESOURCES|
@VWAVH
EventSetInformation
MapViewOfFile(%s) failed! Error code = %#x
zuaH9
t2M;<$u
DeleteFileEx: Unable to get full path name on [%s]; GLE = 0x%x
uz-Latn-UZ
hr-HR
GlobalCollection
.?AUIRegistrarBase@@
.?AVCMutex@utils@@
}uq;63
drivers\wdm\usbpw\creator\lib\utils\cmodule.cpp
.?AVCGetDisksWorkItem@bl@@
UWAUAVAWH
fE9$Fu
O:%sG:%sD:P(A;;FA;;;%s)(A;;GRGX;;;BA)(A;;GRGX;;;SY)(A;;GRGX;;;BU)S:(AU;FASA;0x000D0116;;;WD)
!C#`3
UnregisterTraceGuids
heICx
_='95
qps-ploc
WimVersionInformation
<requestedPrivileges>
SHELL32.dll
drivers\wdm\usbpw\creator\exe\main.cpp
Failed to close recovery store. Status = [%x]
en-CA
ha-Latn-NG
//IMAGE[@INDEX='%u']/DESCRIPTION
|~|~D
tn-ZA
AGdrivers\wdm\usbpw\creator\lib\utils\cenhancedstorageutils.cpp
UUUUUUU
babBvvv
Windows To Go Recovery Key %ws.txt
Failed to mark store as system store. Status = [%x]
{85$
ObH! D
|SYSPART|\|DEST|\BOOTSTAT.DAT
Failed to close the system store. Status = [%x]
WIMGetImageInformation
IDATcW
wpp~wC<
WEVT\
.?AVCNotSupportedException@utils@@
_ismbblead
//IMAGE[@INDEX='%u']/WINDOWS/VERSION/MINOR
.?AV?$CAtlModuleT@VCComModule@ATL@@@ATL@@
Failed to set locale data. Status = [%x]
}\[Qo
drivers\wdm\usbpw\creator\lib\bl\ccopyimagetask.cpp
R1:6F:
NtWriteFile
%ws\Windows
@SUVWATAVAWH
UWATAUAWH
SUVWH
WATAUAVAWH
ro-RO
CM_Get_Device_IDW
count
</dependentAssembly>
totalHits
Rp& $
A^_^[]
u)L9~
L$ UH
.?AVCAutoPrivilege@utils@@
u,f9]
h:}Z,
quz-PE
tn-BW
`A_A^_
|$ E3
A_A^A]A\_
.CRT$XCAA
\$@E3
yq>63
fD98u
sr-Cyrl-ME
\$ UH
NtQueryInformationFile
iu-Latn-CA
lv-LV
ADVAPI32.dll
||]Ia
O:SYG:SYD:P(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)
.00cfg
\$XH;
_wcsicmp
D9d$huGL
H!\$h
\$huWI
FreeLibrary
.?AVCInvalidOperationException@utils@@
GetWindowTextW
gfffffffI
Failed to get token information! Error code = %#x
zB>:1IH'
pcontains
qps-plocm
fD93t
es-CU
fD9<Cu
'R{=f
T$0E3
UVWATAVH
ks-Deva-IN
OpenThreadToken
ATAVAWH
InstallSourcePageToReadyToCreatePage
t;H!\$0A
FWTYPE
Wdrivers\wdm\usbpw\creator\lib\ux\clauncherfailedtaskdialog.cpp
CompanyName
hgtlCm
usp`^
usbstor
5<[~
EFI\Microsoft\Boot
GetCurrentThreadId
@A_A^_
EncryptionMethod
nso-ZA
rrr?~~~
__getmainargs
.?AVCAllPhysicalDiskFilter@utils@@
CInvalidOperationException()
.?AV?$CVisitor@V?$CPathT@V?$CStringT@GV?$StrTraitATL@GV?$ChTraitsCRT@G@ATL@@@ATL@@@ATL@@@ATL@@@utils@@
Edrivers\wdm\usbpw\creator\lib\ux\cicon.cpp
imageSize
u HcA<H
@SVWATAUAVAWH
Process Name = %s
drivers\wdm\usbpw\creator\lib\utils\cetwlogger.cpp
NtQueryVolumeInformationFile
M%1766
Failed to delete debugger settings element %08x. Status = [%x]
GetProcessHeap
fy-NL
.?AVCBitLockerPolicy@utils@@
$$$$$$ZZsuscZUU_z
Sleep
HA^_^[
f94Ku
GetFileSizeEx
.?AVCVdsSwProvider@utils@@
HKEY_CLASSES_ROOT
es-EC
t-9\$0u'H
Failed to log servicing event to bootstat %ws. Status: 0x%x
Failed to copy bootmgr object data. Status = [%x]
W:=Zba^\\Z^cW9
USERPROFILE
~zzF<44$
Failed to update bootmgr display order. Status = [%x]
uz-Cyrl
GlobalFree
z?801i:It6
GetUserDefaultUILanguage
fD99u
mshelp://windows/?id=884465ea-54ad-4e01-a8ce-962c5e3ee4ff
H!\$8H
.?AVCVdsObserver@utils@@
en-HK
(t$ H
OsLoader identifier: %wZ
.?AVCWindowsImageContainer@utils@@
{ AVH
atlthunk.dll
UXH9Q
</security>
BfspPrintFileOwnerProcess: NtOpenProcess failed!Status = %#x
sd-Deva-IN
BFSVC Error: %s
^q=6=q
mi-NZ
#Kbp!T
+L$hD3
tzm-Tfng-MA
RegOpenKeyExW
iswalpha
<assemblyIdentity
wcsncpy_s
DeviceLetters
.?AV?$_Ref_count@VCBlackboard@ux@@@tr1@std@@
CpdBM
drivers\wdm\usbpw\launcher\dll\claunchergrouppolicy.cpp
Unable to open file %s for read because the file or path does not exist
drivers\wdm\usbpw\creator\lib\utils\cbranding.cpp
.?AVCLauncherIncompatibleTaskDialog@ux@@
j?,i>l@X,8`
FindFirstFileW
_wcsnicmp
SyspartGetSystemPartition
JJJ|999I888
52.c5VHa42.c5Rich3.c5
UseTPMKeyPin
.?AUIUnknown@@
kn-IN
?drivers\wdm\usbpw\creator\lib\utils\cusbdisk.cpp
Creating new recovery store %ws
PA_A^A]A\_^]
LockResource
\Device\HarddiskVolume
>VTW#
<D)]G
fA94Iu
l$ VWAVH
tk-TM
`A^[]
`A_A^A\_^[]
h VWAVH
?what@exception@@UEBAPEBDXZ
USVWAVH
D$8H;
FindNextFileNameW
zh-CN
ServiceBootFiles MuiOnly:%c Res:%c Fonts:%c BootMgrOvw:%c BootStatOvw:%c DbgTrn:%c SuspendBDE:%c
{@t H
es-BO
.?AV?$_Ref_count@VCAsyncResultNoResult@utils@@@tr1@std@@
Failed to open handle to Memtest object. Status = [%x]
vtqa^]\\\\\\
BcdSetElementData
th-TH
L$ SUVWH
en-NZ
s0mZP
Failed to determine source OS version.
.?AVCTaskManager@bl@@
si-LK
en-IN
Default
WindowsImageSizeInMb
Software\Policies\Microsoft\FVE
ha-Latn
.?AV?$CTaskDialogImpl@VCProvisionFailedTaskDialog@ux@@@WTL@@
NtCreateEvent
xwqb_]\\\\\\\\\\\\\
z+&''
es-419
??0exception@@QEAA@AEBQEBD@Z
%s\%s.mui
R$fA;Z*
\StringFileInfo\%04x%04x\InternalName
wcsrchr
EFIDEFAULT
sr-Cyrl-RS
//IMAGE[@INDEX='%u']/WINDOWS/EDITIONID
gl-ES
DeviceID = "%s"
ug-CN
PA^A\_^]
UATAVH
fr-CA
bs-BA-Cyrl
F#5B[~
D$PE3
tzm-Tfng
\EFI\Microsoft\Boot\
}uq;6!
=+r|n
D$`Hc
fr-ML
hy-AM
bpjQJ
memmove
fD94Fu
.?AV?$_Ref_count@VEncryptableVolume@@@tr1@std@@
.?AVCProvisionPage@ux@@
,,,vm
FriendlyName
Failed to set bootmgr tools display order. Status = [%x]
_callnewh
RPCRT4.dll
|SOURCE|\|FWTYPE|\|BOOTMGR|
f94Bu
StringFromGUID2
__set_app_type
Error creating boot status data log(%s)! Last Error = %#x
GetKeyProtectorNumericalPassword
FindFirstFileNameW
c0) r
mn-Cyrl
}FBB44
;t$`})
ar-MA
.?AVIAsyncResult@utils@@
|SYSPART|
type="win32"
bootfix.bin
.?AVCTimeoutException@utils@@
Failed to create path for default EFI application. Last error = %#x
GetVolumeNameForVolumeMountPointW
mni-IN
IDATx
D$x9D$$A
^ZK>~
PA^_^H
.?AVIPhysicalDiskFilter@utils@@
.?AV_Ref_count_base@tr1@std@@
040904B0
midOOIH
|SYSPART|\|DEST|
.rdata$zETW2
SizeofResource
CreateFileMappingW
fD;8uwH
@USVWAVH
NtQueryInformationThread
Failed to get system partition! Last Error = %#x
mMbM|
en-PH
lstrcmpiW
fB94Su
\$pE3
swprintf_s
HcA<H
.?AVbad_alloc@std@@
A_A^A]A\_^]
m_exception
.?AVCGroupPolicyTemplateSettings@utils@@
PeekMessageW
A_A^]
drivers\wdm\usbpw\creator\lib\utils\cgrouppolicytemplatesettings.cpp
FFFFFFFFFFFF
wmGee9
|||fjfha
Y@H9;u+L
CreatePath: Unable to create [%s]; GLE = 0x%x
JHcH<
DevObjGetDeviceInterfaceDetail
Failed to flush system volume. Error = %#x
4fg'1=5Q
Failed to service spaces DLL. Last Error = %#x
SHLWAPI.dll
.?AVCWindow@ATL@@
TranslateMessage
.?AVCUsbDisk@utils@@
WinSqmStartSession
SOURCE
.?AVbad_weak_ptr@tr1@std@@
ms-MY
DeviceCharacteristics
fA9,Ju
sah-RU
GetClientRect
ERROR
.?AVCVdsPack@utils@@
drivers\wdm\usbpw\creator\lib\utils\cvolume.cpp
fD94yu
H;]`u
@USVWAWH
st-ZA
ForceRemove
cy-GB
Failed to set element display order. Status = [%x]
TelemetryAssertDiagTrack
.?AVIAsyncCallback@utils@@
ServiceSpaces: Skipping %s
br-FR
GetSecurityDescriptorControl failed! Error code = %#x
WideCharToMultiByte
RegQueryValueExW
.c5VH
}uq>;3!
t$(E3
A_A^_^[
@SVWH
VarFileInfo
name="Microsoft.Windows.Common-Controls" version="6.0.0.0"
LHcH<
_fmode
rzzzuyy
HRESULT
BrandingFormatString
x?E;J
$DDAA@D
ve-ZA
u&L9~
WNNNPM\bW
D9d$h
ControlSet001\Services\Partmgr\Parameters
QBA$b,
D;t$H
UUTUTUTUTUTUTU
CreatePath: Unable to create parent directory for [%s]; GLE = 0x%x
</requestedPrivileges>
.?AVCLauncherResources@ux@@
NtOpenFile
.?AVIPhysicalDisk@utils@@
mshelp://windows/?id=ca607790-adf6-41a7-abd8-0a1f2feb70b1
__Path
sources\install.wim
ssUkC
TUUUUUU
VWAWH
oc-FR
GetFileVersionInfoW
D9t$H
_vsnwprintf
UUTUTUTUTUTUTUTUTUU
//IMAGE[@INDEX='%u']/NAME
smn-FI
WIMGetImageCount
aLLL`
DeleteFileEx: Trying to set back attributes on: %s
CreateFileW
smj-NO
ppwlauncher.dll
D9t$p
zh-TW
UseTPM
fD98t
drivers\wdm\usbpw\creator\lib\bl\cserviceboottask.cpp
<requestedExecutionLevel
WIMCloseHandle
Opening store from %ws
ca-ES
{i0'
T5>I
}uq>63
f9A u
SUVWAVH
L$PE3
.?AV?$_Ref_count@VCSetLauncherWorkItem@@@tr1@std@@
A^_^][
.?AVCComInitializer@utils@@
UninstallWindowsRE
.?AV?$CPropertySheetImpl@VCWizard@ux@@VCAeroWizardFrameWindow@WTL@@@WTL@@
nl-NL
FormatMessageW
)drivers\wdm\usbpw\creator\lib\utils\cvirtualdiskservice.cpp
/,`uu
et-EE
sources
"+VigY
_wcstoui64
\System32\bootstr.dll
||jjfaf
}}qqu
9]0u"H
CoUninitialize
&677q
.?AVCSetLauncherWorkItem@@
SELECT * FROM %s WHERE %s
<!-- Copyright (c) Microsoft Corporation -->
prs-AF
{ UAVAWH
A_A^A]A\_
10.0.17763.1 (WinBuild.160101.0800)
.?AVCVolumeProperties@utils@@
NoRemove
+++&DED_VVT
sQPI[5T
DeleteCriticalSection
RaiseException
GetWindowLongW
9]0u%H
RtlCaptureContext
VolumeKeyProtectorID
RtlCompareMemory
tr1::bad_weak_ptr
.?AVCWindowsImage@utils@@
.?AV?$CTaskDialogImpl@VCLauncherFailedTaskDialog@ux@@@WTL@@
bg-BG
C0D9x4u,H
~zFB<4$
uiAccess="false" />
x ATAVAWH
gfffffffH
RDVEncryptionType
rw-RW
d|BNeU
D$@I;
uz-Latn
A_A^A]A\_H
ImageCharacteristics
A_A^A\_^[
HRESULT 0x%8.8x
InstallSourcePageNavigatePerfEventStarted
win:ResponseTime
qps-Latn-x-sh
$5Bz~
\\?\Harddisk%uPartition%u\%s
```tMMMEVVV2XXX
}uuA;6$
!t$4L
]`;]X
name="pwcreator"
uz-Cyrl-UZ
Failed to open file %s for read! Error code = %#x
tzm-Latn
HeapReAlloc
1100WWVj322E
v:fD9d$Ru
EnumWindows
fr-029
\$<A;
Failed to open handle to the OS loader object. Status = [%x]
->Eajk
,)*"!
l$(E3
}[F@<7$
HKEY_LOCAL_MACHINE
A_A^_
bs-Cyrl-BA
quc-Latn
WIMApplyImage
H!\$PL
WriteFile
NtClose
he-IL
DriveLetters
VirtualFree
DeviceFirstVolumeName
WWmWs|s
A_A^A\
//IMAGE[@INDEX='%u']/TOTALBYTES
8S)uIL
az-Latn
H;]Pu
DestroyWindow
.?AV?$CShellFileDialogImpl@VCShellFileOpenDialog@WTL@@@WTL@@
H9\$P
ProtectKeyWithNumericalPassword
qps-ploca
&&&(~~~
L9u0uV
be-BY
lt-LT
@USVWATAVAWH
BcdForciblyUnloadStore
InterlockedPopEntrySList
2222222222
timestamp
Machine
7fD;>u
SetWindowTextW
nb-NO
ja-JP
imageName
^BNQ,^
.?AVCUniqueId@utils@@
|$`A;
9\uiH
BfspPrintFileOwnerProcess: NtQueryInformationProcessfailed in unexpected manner! Status = %#x
Creating OsLoader object.
drivers\wdm\usbpw\creator\lib\bl\capplyimagetask.cpp
install.wim
Failed to get element data. Status = [%x]
gd-GB
ReleaseSRWLockExclusive
Architecture
CAtlException( HRESULT_FROM_WIN32( result ) )
}X9(%D
nlVL|
Failed to get handle to the template store. Status = [%x]
4NL;t$8
D9GH~?Hc_HI
Failed to open handle to fwbootmgr object. Status = [%x]
ru-MD
RtlLookupFunctionEntry
.?AVCApplyImageTask@bl@@
GetTraceEnableFlags
de-CH
CNotSupportedException()
QueryPerformanceCounter
Failed to set element OS device. Status = [%x]
D;|$
effffff
NtSetInformationFile
CreateThreadpool
Assert
-PilldOOJH,
msvcrt.dll
VY$[X
\$ UVWATAUAVAWH
StringFileInfo
ar-EG
t$ WAVAWH
Software
@USVATAWH
0A_A^A]A\_
Microsoft YaHei UI
drivers\wdm\usbpw\creator\lib\ux\cprovisionfailedtaskdialog.cpp
ole32.dll
gxI3!'
RDgg1>
GetSystemDefaultUILanguage
000`,
es-ES
SetupDiOpenDeviceInterfaceW
+L$l3
H;^xu
Vving1
.?AVCDiskObserverWorkItem@bl@@
Unable to GetVolumeNameForVolumeMountPoint %ws (%u).
$>b~t
7T})gW
GetSecurityDescriptorGroup
.text$mn
ProvisionCharacteristics
Error deleting bootnxt from the BOOT folder (%s)! Last Error = %#x
SVWATAVH
D$XE3
BFSVC: %s
Checked
Resources
Failed to open a handle to the OS loader element. Status = [%x]
WdsCopyFileEx: Failed to delete %s. GLE = 0x%x
@8p(u
eYgcc
~@Hcq
Failed to create a new system store. Status = [%x]
WIMCreateFile
\\?\UNC
x;;^ }6H
QueueUserWorkItem
publicKeyToken="6595b64144ccf1df"
LsaFreeMemory
fr-CI
.?AVCAbstractTask@bl@@
Windows\System32\Config\SYSTEM
.?AVIBlackboard@ux@@
kok-IN
Interface
.?AV?$CTaskDialogImpl@VCExitWarningTaskDialog@ux@@@WTL@@
FED75
SUVWATAUAVAWH
idrivers\wdm\usbpw\creator\lib\ux\creadytocreatepage.cpp
HTREE\ROOT\0
Failed to expand Recovery directory path
%s%s%s
uk-UA
d$hE3
LsaOpenPolicy
DecodePointer
EventWriteTransfer
hwp1p0
InitCommonControlsEx
BCD strings MUI load failure %ws (%u).
WdsCopyFileEx: Failed to copy [%s] to [%s], GLE = 0x%x; will retry in %u ms
PathAppendW
.?AVCSingleInstanceApplication@ux@@
KEYWD
.?AV?$enable_shared_from_this@VCProvisionProvider@bl@@@tr1@std@@
|SYSPART|\|DEST|\BCD
SETUPAPI.dll
zh-Hans
sr-Cyrl-BA
T$@E3
FveOpenVolumeW
tg-Cyrl
.?AV?$_Ref_count@VCCopyImageTask@bl@@@tr1@std@@
L$`H3
fD9$Cu
f9,Ou
u'L9~
D$@E3
@U^sssqu~
GetFileInformationByHandle
fr-CD
G(H9G
OHcP<
L$ SWH
fe3gE1#
|||f|jjjj
ar-LY
lmkiZV
<dpiAware>true</dpiAware>
Failed to set bootmgr display order. Status = [%x]
FONTS
t$lIc
ks-Arab
Creating Resume object.
.?AVCComModule@ATL@@
}[D<8$$
|rSv}
JMM=W
UuidCreate
SanPolicy
fD9,yu
Failed to create create general objects. Status = [%x]
EventActivityIdControl
RDVEnforceUserCert
HA_A^A]A\_^][
fE9$nu
D$xH9D$pt
.rdata$zETW1
hu-HU
A^A\_^]
??1exception@@UEAA@XZ
FQm|eeE}w
Module_Raw
drivers\wdm\usbpw\creator\lib\utils\casyncresultnoresult.cpp
CoCreateGuid
dc`JIGFFFFFF
W==^a^\ZZW^bTD
ur-IN
RtlVirtualUnwind
~}[DB<5$
,+?O&
SP@V'
|$ UH
.?AVCVolume@utils@@
\551edc`
GetModuleFileNameW
//IMAGE[@INDEX='%u']/WINDOWS/INSTALLATIONTYPE
@SVWATAUAVAW
sr-BA-Cyrl
tzm-Arab-MA
USVWAUAVAWH
??3@YAXPEAX@Z
+dBVY
RtlCheckPortableOperatingSystem
itH`1
drivers\wdm\usbpw\creator\lib\utils\cbitlockerutils.cpp
_wcsupr
level="requireAdministrator"
|||jaa
|$XH9T$ht<H
fD9<Nu
System
fD94Ou
s]Z<C}iIC
d2<O XH
WelcomePageToDevicePage
.CRT$XCA
w9X!P/
NtQueryInformationProcess
BcdSetElementDataWithFlags
H;\$Ht0H
KERNEL32.dll
\\\hWWW:LLL ^^^
BfspPrintFileOwnerProcess: Failed to acquire debugprivilege
es-SV
UseTPMPIN
}kik|~~zusccc|
f;D$@
Copying font files from %s to %s...
T?u].
)t$`H
uqA63!
jSS]f
FWph?r
UnhandledExceptionFilter
DeviceSizeGb
DefWindowProcW
EventUnregister
BfspCopyFile failed to delete temporary file (%s)! Last Error = %#x.
Invalid attributes (%#x) specified for %s file!
wcscpy_s
G$H;A$u
GetVersionExW
@SUVWATAUAVAWH
~}y{www
MapViewOfFile
.?AVCAutoLoadRegKey@utils@@
ProtocolType
enterprise
.?AVCDiskTraits@utils@@
hA_A^_^[]
<asmv3:application>
f9,Yu
\boot\BCD
VS_VERSION_INFO
?=u$L
Creating General objects.
Copying boot files CopyBootManager(%s) %s -> %s
x UATAUAVAWH
ff-NG
$7Bz~
A_A^_^]
C0D9x4u4
!L$4A
&&&000
as-IN
.CRT$XCZ
bsearch
Win32_EncryptableVolume
.?AV?$CAeroWizardPageImpl@VCDevicePage@ux@@VCAeroWizardPageWindow@WTL@@@WTL@@
sma-SE
\System32\config\BCD-Template
f9,Bu
lb-LU
ServiceSpaces: Failed to copy %s to %s. Last Error = %#x
sv-SE
imagehlp.dll
nn-NO
<description>Portable Workspace Creator</description>
{0KPRS|
}uuq;
Failed to get file size for %s! Error code = %#x
drivers\wdm\usbpw\creator\lib\ux\cabstractwizardpage.cpp
T$@f;U
}u^y}
H!|$`3
`A^_^[]
SendMessageW
USVWH
Failed to validate boot manager checksum (%s)! Error code = %#x
SeBackupPrivilege
sskiLU,
wgrvEv
DriveListPopulation
H;T$@t
.data
.?AV?$_Ref_count@VCDiskObserverWorkItem@bl@@@tr1@std@@
Resume application not found. Note, if you are servicing Windows PE or Windows RE boot files, you can ignore this message.
+B9&(
GetVolumePathNameW
A_A^A]A\_^][
fE9|E
Global\d2d609d3-fec2-4cf1-99f8-2a066c8846ae
.?AVIProvisionProvider@bl@@
PathFileExistsW
Segoe UI SemiBold
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
StartProvisioning
___frrr
L$8H;
memset
=map/set<T> too long
3jdrivers\wdm\usbpw\creator\lib\utils\cwindowsimagecontainer.cpp
mt-MT
SSSD[[[
GetActiveWindow
0A_A^A\_^][
:\#Nt
fA94Au
onj[ZUUUUUUU
~AHcY
f9A t'f
~[DFD
FooOzrr
DeleteFileEx: Unable to clear out attributes on [%s]; GLE = 0x%x
\$ UVWAVAWH
GetProcAddress
l`LAZaP
dv-MV
.?AV?$CDialogImplBaseT@VCAeroWizardPageWindow@WTL@@@ATL@@
yG*$^
-PimlldOMIH'
l6s+o
bbc4sssy???F
drivers\wdm\usbpw\creator\lib\ux\cdevicepage.cpp
IsWindowEnabled
ProductName
u)D8-U
$58F~
LdrAccessResource
fD; t
H H;N
CLauncherIncompatibleMultipleBootDisksException()
TASK4
k 141+/Gcp|
ga-IE
Failed to copy Boot Manager to default EFI application. Last error = %#x
.idata$6
Microsoft.Windows.WindowsToGo.Startup.Options
<assemblyIdentity
TaskDialogIndirect
fE9tu
el-GR
NtOpenProcess
RDVPassphrase
BcdSetLogging
ukWk5
Opening template from %ws.
1.,+_FECx@><u
Invalid parameter passed to C runtime function.
.?AVCOutOfBoundsException@utils@@
BcdOpenStore failed with unexpected error code, Status = [%x]
GetParent
rr~~~~~~q
.?AV?$_Ref_count@VCBlackboardAdapter@ux@@@tr1@std@@
@A_A^_^]
|$$\r3H
\GLOBAL??\
|SYSPART|\|DEST|\bootspaces.dll
tr-TR
Failed to open a handle to the template store. Status = [%x]
D$HE3
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" manifestVersion="1.0">
|||aj
xL9OP
PathRemoveBackslashW
Logging boot file servicing to bootstat log %ws.
$&''111
.?AVCThreadExecutionState@utils@@
D9d$huDH
Microsoft.Windows.WindowsToGo.Creator.Tool
GetWindowTextLengthW
te-IN
PA^_^
H9Ehu
.?AV?$CAeroWizardPageImpl@VCReadyToCreatePage@ux@@VCAeroWizardPageWindow@WTL@@@WTL@@
FileVersion
Error copying boot files from %s to %s! Last Error = %#x
HeapSize
Software\Policies\Microsoft\PortableOperatingSystem
|$"\u
|$hA;
.?AVlength_error@std@@
SVWAVH
.?AV?$CShellFileOpenDialogImpl@VCShellFileOpenDialog@WTL@@@WTL@@
p AWH
D9d$hu%D9U
drivers\wdm\usbpw\creator\lib\utils\cuniqueid.cpp
.?AV?$CAeroWizardPageImpl@VCImageSelectionPage@ux@@VCAeroWizardPageWindow@WTL@@@WTL@@
Locale
}uq;;3!
ar-JO
<unknown>
rY&'K
invalid vector<T> subscript
t$ E3
fD94Xu
BcdOpenObject
sr-Cyrl
WimEdition
WimName
ar-KW
@W=7A=
or-IN
=DG6M
GetProcessMitigationPolicy
DeviceFriendlyName
fA9Z*v$A
UAVAWH
A_A^_
memcpy_s
~zzDB75$
~}FD<4$
Delete
RtlFreeUnicodeString
Segoe UI Light
NtOpenSymbolicLinkObject
USVWATAVAWH
ShutdownBlockReasonDestroy
nlldOIH
.?AVCSingleInstanceErrorTaskDialog@ux@@
BcdCloseObject
fD9$ou
quz-EC
m,//#
9(7Hs
m$QiQ4
.?AVITask@bl@@
Create BOOTMGR object RetainBootDefault:%c
fE9<Hu
xA_A^A]A\_^[]
H9E@sZH
8>>~3G
File %s is too large!
om-ET
~=R)u
\\.\%c:
VerQueryValueW
ConvertStringSecurityDescriptorToSecurityDescriptor failed! Error code = %#x
CoTaskMemAlloc
es-GT
.?AVCExitWarningTaskDialog@ux@@
@UVWATAUAVAWH
H;\$0
ProvisioningResult
EventRegister
Launcher
d$`I;
es-PR
kk-KZ
H!t$(H
.?AV?$CPropertyPageImpl@VCBitLockerPage@ux@@VCAeroWizardPageWindow@WTL@@@WTL@@
"Provisioning complete"
toupper
@UVWH
.?AVCDevice@ux@@
DeleteFileW
CoInitializeEx
drivers\wdm\usbpw\creator\lib\utils\cautoprivilege.cpp
uqA63
xxx0www
.?AVout_of_range@std@@
InvalidateRect
9[General]
de-LU
HeapAlloc
A_A^A\_^
8Q)u0H
Error expanding string %s. Last Error = %#x
EFI\Boot
0A__^
T$pE3
5<F~
odrivers\wdm\usbpw\creator\lib\ux\clauncherresources.cpp
UTTTTTTTTTTTTTTTTTU
es-PY
K09i4t
~Rjpjr
SVWAVAWH
y*.7]
__iob_func
ps-AF
f9A t
.data$brc
ControllerType
ibb-NG
H3E H3E
InternalName
GetAncestor
TEMPx
enterprises
GetFileAttributes(%s) failed! Last Error = %#x.
en-AU
km-KH
RL=2)
D9d$hu%9U
malloc
HKEY_CURRENT_CONFIG
H;D$@u
.?AVCRecursiveFindFile@utils@@
UUUUUUUUUUUUUU
Invalid VolumePathNameLegth %ws
.?AVCXmlDocument@utils@@
hr-BA
Failed to copy resume object data. Status = [%x]
Failed to lookup privelege! Error code = %#x
hi-IN
$8Fz
}uA>63!
Microsoft\Windows\CurrentVersion\Reliability\WinRE
$8Dz
D$0f98u4H
.?AVCDiskObserver@bl@@
.rsrc$02
WIMGAPI.DLL
\$ UVWATAUAVAW
Error uncompressing boor manager (%s)! Last Error = %#x
_unlock
s)(uA
$)56)$
ModuleCollection
"4)%%%%%%%%%#
{y^95)))!
fr-RE
.?AV?$CAeroWizardPageImpl@VCProvisionPage@ux@@VCAeroWizardPageWindow@WTL@@@WTL@@
SetupDiOpenDeviceInfoW
WindowsImagePath
en-US
drivers\wdm\usbpw\creator\lib\ux\cblackboard.cpp
(t$0H
EnableTrace
CheckSumMappedFile
A_A^A]A\_^]H
ku-Arab
<dependency>
FindNextFileW
XUUTTTTTTTTTTU
OLEAUT32.dll
kernel32.dll
M@8P)
CoSetProxyBlanket
uY9T$`vSL
usbehci
pwcreator.exe
|SYSPART|\BOOTNXT
.text$di
REGISTRY
FindClose
PA__^[]
BcdDeleteObject
USVWAVAWH
ti-ET
zFF<8$$
H+;H;K
onj[YUUUUUUUUUUTUTU
VATAUAVAWH
ii-CN
BFSVC Warning: %s
VWATAVAWH
9{@vAH
SeSecurityPrivilege
Y&iSan
GetTempPathW
==7=W=Z0
ca-ES-valencia
UnregisterClassA
A}_ys
|$`E3
haw-US
GetCurrentProcessId
XXXjWWWNmmm2{{{
Failed to get a handle to the OS loader. Status = [%x]
LMkkYSS?X~
ro-MD
L$XH3
RegCreateKeyExW
@A^_^[]
ttqmrpl
es-PE
.rdata$zETW0
$`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
C0D9x4udfD;
Hardware
Error setting security attributes on %s. Last Error = %#x
pl-PL
PA^A\_^[
!D$PA
vi-VN
ReturnValue
BcdCopyObjects
yR:KEC%
fE9<Au
ar-QA
.?AV?$_Ref_count@VCServiceBootTask@bl@@@tr1@std@@
GetSystemMetrics
Module
lo-LA
gpt.ini
qrq=)(Kbb\IEC%
fA9(tsM
.?AVCBitLockerRecoveryKey@utils@@
.?AVCShutdownBlockReason@ux@@
H;]Pu
TTTC\]]
drivers\wdm\usbpw\creator\lib\utils\cmachine.cpp
.?AVIWizard@ux@@
[[[}KKKZVVVG\\\'EEE
.?AVCRegObject@ATL@@
.?AV?$_Ref_count@VCPortableWorkspaceDiskFilter@bl@@@tr1@std@@
@USWH
8\$@u&H
@USVWH
CoTaskMemFree
GetDlgItem
PostThreadMessageW
`A\_]
ms-BN
.?AVCInternalProvisionData@bl@@
fr-CM
-PknmliWOMH+'X
~}[D<85$
.CRT$XIZ
fA9L}
bcd.dll
ServiceSpaces: Failed to create path %s. Last error = %#x
w"H+3H
InterlockedPushEntrySList
bootmgr
//IMAGE[@INDEX='%u']/DISPLAYDESCRIPTION
DEVOBJ.dll
9T$`A
EncodePointer
!This program cannot be run in DOS mode.
FEC64
l+}0DF
fA9<Gu
LcL$xH
@A^_^
H#D$Xt
BcdCopyObjectEx
|SYSPART|\|DEST|\BOOTNXT
|$`I;
H!t$ A
fA9<Fu
.?AVCPropertyPageWindow@WTL@@
OPCOT
Failed to set element application device. Status = [%x]
EnableBDEWithNoTPM
bbb~```YXXX9XXX
Create a Windows To Go workspace
\$(!\$x
A_A^A]A\_^[
~o4'
GetLocaleInfoW
|PNNN
98('%}ztkiZXcz
D$xE3
A^_^[]
t>H9{
L9]0u@
USER32.dll
GetCurrentThread
333hnnF{{;s:
Failed to open recovery store. Status = [%x]
uq>6$
|$`H;
.?AVCPortableWorkspaceDiskFilter@bl@@
Yu Gothic UI Light
<9===
|SYSPART|\|EFIDEFAULT|
Failed to populate BCD store. Status = [%x]
IDATq
usbxhci
.?AVCMessageLoop@WTL@@
9Y ~03
RtlStringFromGUID
.?AV?$CPropertyPageImpl@VCDevicePage@ux@@VCAeroWizardPageWindow@WTL@@@WTL@@
CM_Get_Device_ID_Size
.?AVCMessageMap@ATL@@
Failed to get user token! Error code = %#x
.?AVCNotFoundException@utils@@
.?AV?$CPropertyPageImpl@VCReadyToCreatePage@ux@@VCAeroWizardPageWindow@WTL@@@WTL@@
Failed to initialize global state. Status = [%x]
\$(E3
A_A^A]A\^
f9H\u
EnterCriticalSection
W\VarFileInfo\Translation
.CRT$XCU
es-NI
.?AV?$_Ref_count@VCApplyImageTask@bl@@@tr1@std@@
RegDeleteKeyExW
\$ E3
ConvertStringSecurityDescriptorToSecurityDescriptorW
"w]xy
Portable-Workspace-Creator-Log-%d.etl
_errno
bn-BD
L$`H;
]0H!\$0
.?AVCDevicePathDiskFilter@utils@@
sr-Latn
root\cimv2\security\microsoftvolumeencryption
\\.\Spaceport
.?AVCPhysicalDisk@utils@@
-Ryq9-
SendDlgItemMessageW
//IMAGE[@INDEX='%u']/WINDOWS/VERSION/MAJOR
L$RfD9dDNu!H
8A_A^A]A\_^[]
</asmv3:windowsSettings>
`A_A^_^]
HKEY_CURRENT_USER
GetCurrentProcess
\\?\GLOBALROOT
cs-CZ
@kon|
.?AVCLauncherIncompatibleMultipleBootDisksException@@
LpPA@
Leelawadee UI Semilight
so-SO
D$0 H
"58F}
win:Stop
JIGFFFFFF
fa-IR
_vscwprintf
.?AV?$_Ref_count@V?$CAsyncResult@_N@utils@@@tr1@std@@
|EFIDEFAULT|\|DEFAULTAPP|
K AVH
Could not open the BCD template store. Status = [%x]
Error creating boot status data log(%s)! Bytes written = %#x, desired = %#x
;:7)&
j5LNL"
Failed to convert user SID! Error code = %#x
LocalFree
\xEy/
wuU0doy
D$8E3
UseTPMKey
</assembly>
L!t$(3
@A^_^H
smj-SE
mn-Mong-CN
Translation
mshelp://windows/?id=2eb8104c-2b9d-48f0-98e9-2ea70d47f115
en-MY
rm-CH
mr-IN
jQUfprrf|
se-NO
ATL$__z
H!t$ 3
he]QIM}}
it-IT
eedLrrr
D58;;>5>j
.?AVCPortableWorkspaceCreatorLogger@creator@@
Failed to copy OS loader object data. Status = [%x]
??_V@YAXPEAX@Z
zFD84$
xzf;t$hu>H
}[DD75$
SYSPART
RegisterTraceGuidsW
~zFF844
publicKeyToken="6595b64144ccf1df"
wcsncmp
$$$$$
;\$`}K
NtQuerySymbolicLinkObject
FileType
~D89TgdVOMIH'
<dependentAssembly>
\\%s\%s
zh-SG
GetTempFileNameW
ProductVersion
t$ I;
FlushFileBuffers
WinSta0
|SOURCE|\|FONTS|
WinSqmSetDWORD
GetSecurityDescriptorGroup failed! Error code = %#x
iu-CA-Latn
sv-FI
~z[DB84$
WinSqmEndSession
f94Cu
\$(H;\$0
.?AVCAppModule@WTL@@
Failed to retrieve spaces physical partitions. Last Error = %#x
gu-IN
__CxxFrameHandler3
~B<74$
fb\HC&x
ShowWindow
_onexit
TelemetryAssert
.CRT$XIAA
fD9<Au
%g|lz
.?AVCWindowsImageMetadata@utils@@
.?AVCProvisionWorkItem@bl@@
1o?-XfF
A_A^A\_^[]
LsaClose
Windows
Failed to set element associated resume object. Status = [%x]
es-US
PRVAx
E/H;F
onj[XUTTTTTU
iu-Cans
BOOTMGR
D$0E3
quz-BO
fD9$Yu
fD9(t
=L9o<
bootmgfw.efi
.idata$2
hsb-DE
pa-Arab-PK
|BOOTMGR|
.?AV?$_Ref_count@VCInternalProvisionData@bl@@@tr1@std@@
x AVH
.CRT$XCL
Yu Gothic UI
L$8I+
56;;f
WindowsImageCharacteristics
SYSTEM
SetupDisplayedProductKey
sr-Cyrl-CS
InitiateSystemShutdownExW
L$0LcC,
UTTTTTTTTTTTTU
HKEY_USERS
fD94Cu
AtlThunk_AllocateData
PathStripPathW
Failed to create Recovery directory. Last error = %#x
5qtp2 6^y~
LookupPrivilegeValueW
.xdata
WIMUnregisterLogFile
.gfids
</dependency>
|SOURCE|\|FWTYPE|
H SUVWAVH
zh-CHS
uaspstor
fD9<Xu
Segoe Pseudo
.?AV?$CWindowImplRoot@VCAeroWizardPageWindow@WTL@@@ATL@@
BfspPrintFileOwnerProcess: Malloc failed!Size = %#x
.?AVCDiskLayoutTask@bl@@
WWpo7
??0exception@@QEAA@AEBV0@@Z
Operating System
uAH!L$8H
}uqA;3!
TypeLib
vector<T> too long
WindowsImageIndex
GetModuleHandleExW
|$hH;|$pt
D9d$hu"9U t
_cexit
fr-CH
8D$8@
GetSecurityDescriptorOwner
VVWcU]
EventData
es-UY
se-SE
VG2/iI
es-CO
UVWAUAVH
CloseThreadpool
D753222222
DOES NOT contain
LdrFindResource_U
.c53.b5
\$@H9
t$ WATAUAVAWH
GetLastError
@USVWATAUAVAWH
UWAWH
_commode
|DEST|\bootspaces.dll
ar-IQ
9l$pI
Error creating boot status data log(%s)! Unable to allocate memory
fffffff
_amsg_exit
fD9$Gu
es-VE
p WATAUAVAWH
A_A]A\_]
?terminate@@YAXXZ
<OP[(
~^_rvx~~
AUAVAWH
NtDeviceIoControlFile
bin-NG
fD94Ku
~zFF<84
\$HE3
.?AVCAsyncResultNoResult@utils@@
sr-Latn-BA
D9|$0
Elevation:Administrator!new:%s
Unknown
Portable-Workspace-Creator-Trace-Session-%ws
+L$h3
Failed to delete duplicate loader object. Status = [%x]
es-MX
-=XPl
C0D9x4uQ
(t$`I
pA_A^A]A\_^]
u+D9Q
$\ZXUwvr
|SYSPART|\BOOTTGT
onj[X
Failed to set bootmgr resume object. Status = [%x]
PassPhrase
Leelawadee UI
BCD Error: %ws
CCastFailedException()
bn-IN
sr-BA-Latn
A_A^A]A\]
A_A^A]_]
.?AVCReadyToCreatePage@ux@@
BCD Warning: %ws
.?AVCBlackboard@ux@@
ServiceSpaces: %s does not exist
fA9\E
F5**32
`.rdata
NtWaitForSingleObject
Failed to expand default EFI application location.
ar-BH
bWti^
RegQueryInfoKeyW
version="1.0.0.0"
RegCloseKey
SetupDiEnumDeviceInterfaces
0A_A^A\_]
ssshol
SHCreateDirectoryExW
Provisioning complete
de-LI
{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
RtlAllocateHeap
kl-GL
fD9'u
_vsnwprintf_s
CNotFoundException()
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash | Icon | Icon Exact Hash | Icon Similarity Hash | Icon DHash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 0x140000000 | 0x00058550 | 0x000d0168 | 0x000d0168 | 10.0 | pwcreator.pdb | 2080-04-20 10:14:20 | 70406f5672cb1fdb33eef1f42753431c |  |
bbc873346064b4eafa29161ed3a171ec | 37b330f1d0994da0167fd99fb95bd15f | 00ac0c8df07c3e40 |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | Create a Windows To Go workspace |
| FileVersion | 10.0.17763.1 (WinBuild.160101.0800) |
| InternalName | pwcreator |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | pwcreator.exe |
| ProductName | Microsoftรยฎ Windowsรยฎ Operating System |
| ProductVersion | 10.0.17763.1 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x0005e7d1 | 0x0005e800 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.29 |
| .rdata | 0x0005ec00 | 0x00060000 | 0x0002a98c | 0x0002aa00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.65 |
| .data | 0x00089600 | 0x0008b000 | 0x00003ac8 | 0x00002e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.44 |
| .pdata | 0x0008c400 | 0x0008f000 | 0x00004194 | 0x00004200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.71 |
| .rsrc | 0x00090600 | 0x00094000 | 0x000361e0 | 0x00036200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.13 |
| .reloc | 0x000c6800 | 0x000cb000 | 0x00000f18 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.33 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| MUI | 0x000ca0e8 | 0x000000f8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.84 | None |
| WEVT_TEMPLATE | 0x000c8e60 | 0x00001282 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.34 | None |
| RT_ICON | 0x00094df0 | 0x00004c28 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.31 | None |
| RT_ICON | 0x00099a18 | 0x00002ca8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.58 | None |
| RT_ICON | 0x0009c6c0 | 0x00001628 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.93 | None |
| RT_ICON | 0x0009dce8 | 0x00000ea8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.77 | None |
| RT_ICON | 0x0009eb90 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.75 | None |
| RT_ICON | 0x0009f438 | 0x000006c8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.51 | None |
| RT_ICON | 0x0009fb00 | 0x00000568 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.53 | None |
| RT_ICON | 0x000a0068 | 0x000069e7 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.95 | None |
| RT_ICON | 0x000a6a50 | 0x00010828 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.92 | None |
| RT_ICON | 0x000b7278 | 0x000094a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.00 | None |
| RT_ICON | 0x000c0720 | 0x00004228 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.00 | None |
| RT_ICON | 0x000c4948 | 0x000025a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.98 | None |
| RT_ICON | 0x000c6ef0 | 0x000010a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.34 | None |
| RT_ICON | 0x000c7f98 | 0x00000988 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.93 | None |
| RT_ICON | 0x000c8920 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.77 | None |
| RT_GROUP_ICON | 0x000c8d88 | 0x000000d8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.19 | None |
| RT_VERSION | 0x00094a40 | 0x000003b0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.44 | None |
| RT_MANIFEST | 0x00094490 | 0x000005aa | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.73 | None |
Imports
| Name | Address |
|---|---|
| bsearch | 0x140064a00 |
| __iob_func | 0x140064a08 |
| __RTDynamicCast | 0x140064a10 |
| memcpy | 0x140064a18 |
| memmove | 0x140064a20 |
| wcsncmp | 0x140064a28 |
| fwprintf | 0x140064a30 |
| _vsnwprintf_s | 0x140064a38 |
| fflush | 0x140064a40 |
| swprintf_s | 0x140064a48 |
| toupper | 0x140064a50 |
| _vscprintf | 0x140064a58 |
| vsprintf_s | 0x140064a60 |
| wcschr | 0x140064a68 |
| _wcsnicmp | 0x140064a70 |
| iswalpha | 0x140064a78 |
| wcsrchr | 0x140064a80 |
| _wcstoui64 | 0x140064a88 |
| wcstoul | 0x140064a90 |
| wcsstr | 0x140064a98 |
| _wcsicmp | 0x140064aa0 |
| ??0exception@@QEAA@AEBQEBD@Z | 0x140064aa8 |
| memset | 0x140064ab0 |
| __dllonexit | 0x140064ab8 |
| _wcsupr | 0x140064ac0 |
| ??3@YAXPEAX@Z | 0x140064ac8 |
| __CxxFrameHandler3 | 0x140064ad0 |
| memcpy_s | 0x140064ad8 |
| vswprintf_s | 0x140064ae0 |
| _vscwprintf | 0x140064ae8 |
| memmove_s | 0x140064af0 |
| __C_specific_handler | 0x140064af8 |
| ??_V@YAXPEAX@Z | 0x140064b00 |
| _purecall | 0x140064b08 |
| ??1exception@@UEAA@XZ | 0x140064b10 |
| ??0exception@@QEAA@XZ | 0x140064b18 |
| realloc | 0x140064b20 |
| _errno | 0x140064b28 |
| ??1type_info@@UEAA@XZ | 0x140064b30 |
| ?terminate@@YAXXZ | 0x140064b38 |
| _onexit | 0x140064b40 |
| wcscmp | 0x140064b48 |
| _unlock | 0x140064b50 |
| _lock | 0x140064b58 |
| _commode | 0x140064b60 |
| _fmode | 0x140064b68 |
| _acmdln | 0x140064b70 |
| _initterm | 0x140064b78 |
| __setusermatherr | 0x140064b80 |
| _ismbblead | 0x140064b88 |
| _cexit | 0x140064b90 |
| _exit | 0x140064b98 |
| exit | 0x140064ba0 |
| __set_app_type | 0x140064ba8 |
| __getmainargs | 0x140064bb0 |
| _amsg_exit | 0x140064bb8 |
| _XcptFilter | 0x140064bc0 |
| _CxxThrowException | 0x140064bc8 |
| _callnewh | 0x140064bd0 |
| ?what@exception@@UEBAPEBDXZ | 0x140064bd8 |
| ??0exception@@QEAA@AEBQEBDH@Z | 0x140064be0 |
| wcscpy_s | 0x140064be8 |
| _vsnwprintf | 0x140064bf0 |
| wcsncpy_s | 0x140064bf8 |
| malloc | 0x140064c00 |
| free | 0x140064c08 |
| ??0exception@@QEAA@AEBV0@@Z | 0x140064c10 |
| Name | Address |
|---|---|
| CreatePropertySheetPageW | 0x1400642b8 |
| DestroyPropertySheetPage | 0x1400642c0 |
| PropertySheetW | 0x1400642c8 |
| InitCommonControlsEx | 0x1400642d0 |
| Name | Address |
|---|---|
| PathAppendW | 0x140064778 |
| PathStripPathW | 0x140064780 |
| StrFormatByteSizeW | 0x140064788 |
| PathFileExistsW | 0x140064790 |
| PathRemoveBackslashW | 0x140064798 |
| Name | Address |
|---|---|
| StringFromGUID2 | 0x140064d38 |
| CoTaskMemRealloc | 0x140064d40 |
| CoTaskMemFree | 0x140064d48 |
| CoCreateInstance | 0x140064d50 |
| CoSetProxyBlanket | 0x140064d58 |
| CoGetObject | 0x140064d60 |
| CoTaskMemAlloc | 0x140064d68 |
| CoInitializeEx | 0x140064d70 |
| CoUninitialize | 0x140064d78 |
| CoCreateGuid | 0x140064d80 |
| CLSIDFromString | 0x140064d88 |
| Name | Address |
|---|---|
| VarUI4FromStr | 0x140064678 |
| SysFreeString | 0x140064680 |
| VariantClear | 0x140064688 |
| SysAllocString | 0x140064690 |
| SysAllocStringByteLen | 0x140064698 |
| SysStringByteLen | 0x1400646a0 |
| SafeArrayUnaccessData | 0x1400646a8 |
| VariantInit | 0x1400646b0 |
| SafeArrayAccessData | 0x1400646b8 |
| SafeArrayCreate | 0x1400646c0 |
| VariantCopy | 0x1400646c8 |
| SysStringLen | 0x1400646d0 |
| Name | Address |
|---|---|
| DevObjGetDeviceInterfaceDetail | 0x1400642e0 |
| DevObjOpenDeviceInfo | 0x1400642e8 |
| DevObjEnumDeviceInterfaces | 0x1400642f0 |
| DevObjDestroyDeviceInfoList | 0x1400642f8 |
| DevObjGetDeviceProperty | 0x140064300 |
| DevObjCreateDeviceInfoList | 0x140064308 |
| DevObjGetClassDevs | 0x140064310 |
| Name | Address |
|---|---|
| FveIsPassphraseCompatibleW | 0x140064320 |
| FveCloseHandle | 0x140064328 |
| FveOpenVolumeW | 0x140064330 |
| FveCheckPassphrasePolicy | 0x140064338 |
| Name | Address |
|---|---|
| BrandingFormatString | 0x140064948 |
| Name | Address |
|---|---|
| SHCreateDirectoryExW | 0x140064760 |
| SHGetKnownFolderPath | 0x140064768 |
| Name | Address |
|---|---|
| SetupDiDestroyDeviceInfoList | 0x1400646f0 |
| CM_Get_Parent | 0x1400646f8 |
| CM_Request_Device_EjectW | 0x140064700 |
| SetupDiGetDevicePropertyW | 0x140064708 |
| SetupDiEnumDeviceInterfaces | 0x140064710 |
| SetupDiGetClassDevsExW | 0x140064718 |
| SetupDiGetDeviceInterfaceDetailW | 0x140064720 |
| CM_Get_Device_ID_Size | 0x140064728 |
| CM_Get_Device_IDW | 0x140064730 |
| SetupDiOpenDeviceInfoW | 0x140064738 |
| SetupDiCreateDeviceInfoList | 0x140064740 |
| SetupDiOpenDevRegKey | 0x140064748 |
| SetupDiOpenDeviceInterfaceW | 0x140064750 |
| Name | Address |
|---|---|
| WIMApplyImage | 0x1400648e8 |
| WIMLoadImage | 0x1400648f0 |
| WIMGetImageInformation | 0x1400648f8 |
| WIMUnregisterLogFile | 0x140064900 |
| WIMCreateFile | 0x140064908 |
| WIMSetTemporaryPath | 0x140064910 |
| WIMRegisterMessageCallback | 0x140064918 |
| WIMUnregisterMessageCallback | 0x140064920 |
| WIMCloseHandle | 0x140064928 |
| WIMGetImageCount | 0x140064930 |
| WIMRegisterLogFile | 0x140064938 |
| Name | Address |
|---|---|
| UuidCreate | 0x1400646e0 |
| Name | Address |
|---|---|
| CheckSumMappedFile | 0x1400649f0 |
| Name | Address |
|---|---|
| BcdSetLogging | 0x140064958 |
| BcdForciblyUnloadStore | 0x140064960 |
| BcdOpenObject | 0x140064968 |
| BcdCloseObject | 0x140064970 |
| BcdDeleteObject | 0x140064978 |
| BcdOpenStoreFromFile | 0x140064980 |
| BcdCopyObjects | 0x140064988 |
| BcdCreateStore | 0x140064990 |
| SyspartGetSystemPartition | 0x140064998 |
| BcdQueryObject | 0x1400649a0 |
| BcdGetElementData | 0x1400649a8 |
| BcdDeleteElement | 0x1400649b0 |
| BcdSetElementData | 0x1400649b8 |
| BcdCopyObjectEx | 0x1400649c0 |
| BcdMarkAsSystemStore | 0x1400649c8 |
| BcdEnumerateObjects | 0x1400649d0 |
| BcdCloseStore | 0x1400649d8 |
| BcdSetElementDataWithFlags | 0x1400649e0 |
Usage
Processing ( 13.85 seconds )
- 12.971 ProcessMemory
- 0.847 CAPE
- 0.019 BehaviorAnalysis
- 0.007 AnalysisInfo
- 0.001 Debug
Signatures ( 0.06 seconds )
- 0.008 ransomware_files
- 0.005 antianalysis_detectfile
- 0.005 antiav_detectreg
- 0.005 ransomware_extensions
- 0.003 ursnif_behavior
- 0.002 antiav_detectfile
- 0.002 infostealer_bitcoin
- 0.002 infostealer_ftp
- 0.002 infostealer_im
- 0.002 poullight_files
- 0.002 territorial_disputes_sigs
- 0.001 bot_drive
- 0.001 antianalysis_detectreg
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
- 0.001 lokibot_mutexes
Reporting ( 0.01 seconds )
- 0.006 CAPASummary
- 0.001 JsonDump
Signatures
The PE file contains a PDB path
pdbpath: pwcreator.pdb
SetUnhandledExceptionFilter detected (possible anti-debug)
Possible date expiration check, exits too soon after checking local time
process: pwcreator.exe, PID 4728
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 4728 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Binary compilation timestomping detected
anomaly: Compilation timestamp is in the future
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
\Device\CNG
C:\Users\Packager\AppData\Local\Temp
C:\Windows\System32\kernel.appcore.dll
C:\Users\Packager\AppData\Local\Temp
C:\Windows\System32\kernel.appcore.dll
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MiniNT
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MiniNT
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
Global\d2d609d3-fec2-4cf1-99f8-2a066c8846ae
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.
Sorry! No process dumps.