Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-12 02:59:31 | 2025-06-12 03:30:28 | 1857 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:15,116 [root] INFO: Date set to: 20250611T16:54:18, timeout set to: 1800 2025-06-11 17:54:18,612 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad 2025-06-11 17:54:18,612 [root] DEBUG: Storing results at: C:\uyHCokWh 2025-06-11 17:54:18,612 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC 2025-06-11 17:54:18,612 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-11 17:54:18,612 [root] INFO: analysis running as an admin 2025-06-11 17:54:18,612 [root] INFO: analysis package specified: "exe" 2025-06-11 17:54:18,612 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-11 17:54:19,175 [root] DEBUG: imported analysis package "exe" 2025-06-11 17:54:19,175 [root] DEBUG: initializing analysis package "exe"... 2025-06-11 17:54:19,175 [lib.common.common] INFO: wrapping 2025-06-11 17:54:19,175 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-11 17:54:19,175 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\WerFault.exe 2025-06-11 17:54:19,175 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-11 17:54:19,175 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-11 17:54:19,175 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-11 17:54:19,175 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-11 17:54:19,362 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-11 17:54:19,487 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-11 17:54:19,518 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-11 17:54:19,518 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-11 17:54:19,534 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-11 17:54:19,534 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-11 17:54:19,534 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-11 17:54:19,550 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-11 17:54:19,550 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-11 17:54:19,550 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-11 17:54:19,550 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-11 17:54:19,550 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-11 17:54:19,550 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-11 17:54:19,550 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-11 17:54:19,550 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-11 17:54:19,550 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-11 17:54:19,550 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-11 17:54:19,550 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-11 17:54:30,831 [modules.auxiliary.digisig] DEBUG: File has a valid signature 2025-06-11 17:54:30,831 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-11 17:54:30,831 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-11 17:54:30,831 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-11 17:54:30,831 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-11 17:54:30,831 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-11 17:54:30,831 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-11 17:54:30,831 [modules.auxiliary.disguise] INFO: Disguising GUID to 88063f41-cb09-49fe-8433-82e8a31757b9 2025-06-11 17:54:30,831 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-11 17:54:30,831 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-11 17:54:30,831 [root] DEBUG: attempting to configure 'Human' from data 2025-06-11 17:54:30,831 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-11 17:54:30,831 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-11 17:54:30,831 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-11 17:54:30,847 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-11 17:54:30,847 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-11 17:54:30,847 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-11 17:54:30,847 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-11 17:54:30,847 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-11 17:54:30,847 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-11 17:54:30,847 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-11 17:54:30,847 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-11 17:54:30,847 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-11 17:54:30,847 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-11 17:54:30,847 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-11 17:54:30,862 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini 2025-06-11 17:54:30,862 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-11 17:54:30,878 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-11 17:54:30,878 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-11 17:54:30,878 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-11 17:54:30,878 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-11 17:54:30,878 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-11 17:54:30,878 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\pQxbIz.dll, loader C:\tmpjeo7jmad\bin\EPCPTrhb.exe 2025-06-11 17:54:30,925 [root] DEBUG: Loader: IAT patching disabled. 2025-06-11 17:54:30,925 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\pQxbIz.dll. 2025-06-11 17:54:30,972 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-11 17:54:30,972 [root] INFO: Disabling sleep skipping. 2025-06-11 17:54:30,972 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-11 17:54:30,972 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-11 17:54:30,972 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-11 17:54:30,972 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-11 17:54:30,972 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-11 17:54:30,987 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-11 17:54:31,003 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-11 17:54:31,003 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-11 17:54:31,003 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 5112, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000 2025-06-11 17:54:31,003 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-11 17:54:31,019 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-11 17:54:31,019 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-11 17:54:31,019 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\pQxbIz.dll. 2025-06-11 17:54:31,019 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-11 17:54:31,019 [r <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-12 02:59:31 | 2025-06-12 03:30:08 | none |
File Details
| File Name |
WerFault.exe
|
|---|---|
| File Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| File Size | 444728 bytes |
| MD5 | 7f3abbaa0117ada3d3f0ef5a3188fd74 |
| SHA1 | 283d61fef7e472e920f03e2f1dd9084bcb38b792 |
| SHA256 | 4b7feb0d02361b9bb9f73f958a36c43636020f348210663974bcb60533939f85 [VT] [MWDB] [Bazaar] |
| SHA3-384 | ff889fc62bdfb7f61b259b6339b4da7ee9541a8536561ef63fd40516197729ac9e7f4429f9cf9fca2c0f080bc3c81ff0 |
| CRC32 | CDAB6ECA |
| TLSH | T1E1947C16FBA84030F5F3E27117396232BA7E781D1F9245C76260668FB9706C0EA3571B |
| Ssdeep | 12288:fzBH66q1a40a003/D2iZf3S2wsZZxS6FFfkc2Hywqq8:Z66q1a40a003/DfdipyZxS6FFfkcyhU |
| PE | File Strings BinGraph Vba2Graph VirusTotal |
MoveAndSecureFile failed
8(8?8S8]8l8s8}8
WER Tracing Session
L$(Qh
:F:O:Z:`:q:
CKernelReport::WaitForDumpConversion
smjlO
yh*n!
PhL#@
DC.SnapshotMode
,Br3tPNjzYZNG77liuYvKEssa6FPq0YutBYTbusBfgrU=0Z
FILES
wil::details_abi::SemaphoreValue::GetValueFromSemaphore
</trustInfo>
;D$ t
0>0P0s0
ReleaseMutex
WERDumpCollectionStatus
api-ms-win-core-toolhelp-l1-1-0.dll
CryptCATCatalogInfoFromContext
Could not collect dump for cross process: 0x%x
CLiveDumpProcessor::CreateLiveReportKey
ReportLiveReport failed
CreateMiniDumpFile failed
WaitForEvent failed
5t:mN
Additional Hang Signature 3
CreateSemaphoreExW
v8zj|u
<description>watson</description>
QQSVW
OpenFileMappingW
ConfigureArchive
werdiagcontroller.dll
1E1`1
384|4
VerifyFlags=
D$HSVP
G43G4
D$(Pj%S
CLiveDumpSettings::InitLiveReportsStoreRoot
G?w?/\n
5"6/6a6t6
win:EventlogClassic
<L<W<b<
Initialize failed for SUBKEY_CRASH_CONTROL
RdH1#
non-elevated
param2
D$4Pj
RegSetValueExW
onecore\windows\feedback\core\werfault\user\snapshot.cpp
8#8)8:8f8k8|8
3*30353L3U3k3q3v3
RegQueryInfoKey returned 0 values
/hCP*!G
0 0$0(0,00040<0d0
;N;W;u;
da^\\_
MoBEX
SetPriorityClass
GenerateDriverPath failed
PhHo@
VhhL@
NtQueryLicenseValue
>,>2>7>P>W>\>j>p>u>
?0?J?\?r?w?
TlP0X
Product
CDumpProcessor::ConvertDumpFile
CLSIDFromString
|$,20ES
PhL?@
<q^XK
;k<x<
=:=K=
6*6/6?6j6
?"?B?\?
6#6k6y6
ImagePath
WhX*@
7*8\8a8{8
EventId
SetEntriesInAclW
:UM*H
tDDwx
PageHeapVirtualMemoryPercent
MinimumBuffers
api-ms-win-core-localization-obsolete-l1-2-0.dll
5&5d5j5o5
LiveKernelReportsPath
3)SvV
</asmv3:windowsSettings>
;';-;2;F;p;u;
Failed to create mini live report.
api-ms-win-core-string-l1-1-0.dll
374=4N4
%s|%s
t>hT(@
DBGENG_NO_BUGCHECK_ANALYSIS
Reporting not cancelled during destructor
nAutoVerifierV2
dc.xpmodmini
GetProductInfo
O0M0K
lsvchost.exe
wtDDDDF
Microsoft Corporation
LCMapStringW
ReportFromKQueue failed
LoadLibraryExW
</INFDATE>
memcmp
< >%>+>5>;>L>
PSj@h
OSCrash
RegOpenKeyW
_XcptFilter
D$PSV
? ?0?D?I?x?
smE?)1
dc.forcenativedump
CKernelReport::QueueKernelReport
_lock
?$?4?U?^?c?s?
j Zf;
j\Xf9
6-6T6Y6
Add to tail failed
839|9
D$(t\P
191H1Q1W1_1e1
D$pSVW
UnmapViewOfFile
2!2(2-262k2p2x2
api-ms-win-core-wow64-l1-1-0.dll
TargetInstructionBytesLength
Application Error
yFWVhH
ProcessStartTime
BypassNetworkCostThrottling
language="*"
53696>6t6
%s %s
EtwEventWriteNoRegistration
CryptCATOpen
Full Report is busy for %ws - %ws
_initterm
SetThreadpoolWait
CriticalProcessFault2
CallReturnAddress
BootId
GetSystemWow64DirectoryW
UtilExpandEnvVariable failed
.idata$5
9;9G9`9n9z9
444B4g4u4
name="Microsoft.Windows.Common-Controls"
WER/CrashAPI:%u: ERROR Failed to read the peb from the process
LoadLibraryW
Vertical
=F=h=s=x=
1)1.1X1^1c1
api-ms-win-core-version-l1-1-0.dll
NoHardConsent
0/0Q0o0v0
6H7M7]7
K32GetModuleFileNameExW
b+[*K,Ea$n'
NtAllocateVirtualMemory
AllowTelemetry
CFFF000
252p2u2
EventName
Whh]@
050<0K0R0
TEMPp
internal\sdk\inc\wil\Resource.h
wcschr
NtQuerySystemInformation
hOO&>
<FILESIZE>%u</FILESIZE>
Microsoft
PageHeapCommitMemoryPercent
F8#F<;
3A3K3i3n3
RtlAllocateAndInitializeSid
Software\Microsoft\Windows\Windows Error Reporting\Consent
?I?O?T?n?s?y?
oNtQueryWnfStateData
0@0s0
SnapshotCaptureMain
<SYSTEM>
.didat$2
Failed to load windows directory
Sh`.@
GlobalFlag
CrashDumpEnabled.New
CoGetCallState
7#7*7c7J8Z8a8r8
=5=]=x=
Wh`X@
?:?R?X?
.data$r$brc
QueuePesterInterval
Sprintf failed
CallReturnProtect
Invalid command line params
=(=9=~=
LimitEnhancedDiagnosticDataWindowsAnalytics
CloseServiceHandle
545?5D5s5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
FH#FL;
towlower
SOFTWARE\Policies\Microsoft\SQMClient
CKernelReport::CheckForFullLiveReports
Pj6hP
Advanced Server
D$4PSQ
CKernelReportDataCollection::GenerateDriverPath
SetEvent
TEMPH
_exit
ekii)O
=#=(=V=\=
3)4T4w4
1!2=2U2q2
RegSetKeySecurity
>8?C?Q?
CHANp
?$?6?e?k?x?
</MANUFACTURER>
;!;';?;Q;U;q;
Ph`m@
Could not collect cross dump for loaded module %ws: 0x%x
1o2z2
0E0Y0g0l0|0
%s\LiveKernelReports\%s\%s
MoveFileExW
<FLIGHTID>
Wh$c@
tSoftware\Microsoft\Windows\Windows Error Reporting\Plugins
##$$$3355666X
1Y>B!
2'2@2U2l2~2
2$202P2X2`2l2
Legal_Policy_Statement
QQSVWj
9+909I9h9s9x9
</FLIGHTID>
AlwaysKeepMemoryDump
00000000
WerpRestartApplication
api-ms-win-core-debug-l1-1-1.dll
%hs!%p:
FinalDumpFileLocation
y%h\z@
HKCU\
Copy failed for name
Invalid initiating process id was passed
='=5=:=K=s=x=
<L<Q<n<
:#;-;9;A;F;\;};
3<3i3n3
4G4V4{4
WAIT_TIME
OpenThreadWaitChainSession
Q"IYKZ}
Additional Hang Signature 2
api-ms-win-core-synch-l1-2-1.dll
RtlGetUnloadEventTraceEx
2"2'292O2g2|2
PEB_SIGNATURE
vrfcore.dll
WerFault.pdb
HKCR\
60;0N0
1h@&@
:&:,:=:c:
MnZPw
414T4
[55JR
7I7S7_7g7l7
f1Xw
r*.dmp
6 6@6H6T6t6
n7b}-
CoCreateInstance
GetCommandLineW
Local\WERReportingForProcessComplete%u
CDumpProcessor::GenerateIntegratorReportId
WerpSetReportNamespaceParameter
BootStatus
=$=7=[=i={=
262{2
5 5,5L5X5x5
GetThreadTimes
y7h8g@
</FILENAME>
ezGc4
5!5V5
ConvertStringSecurityDescriptorToSecurityDescriptor failed
>=>I>O>`>
Failed to open the sub key %ws while reporting for all kernel reports
PVWQRj+
5Y6^6n6
GetFileAttributesW
DefaultOverrideBehavior
APPCRASH
Microsoft Time-Stamp PCA 20100
=*=/=M=k=p=
%02x%02x
0e1r1
onecore\windows\feedback\core\werfault\kernel\livedumpsettings.cpp
PssWalkMarkerFree
SVWh`
SVWh(
WilStaging_02
CompareFileTime
cY~xx[
9#:J:O:^:
=a>}>
:I:S:X:d:n:s:
03080b0g0w0|0
StartTime
+9BJL
VhDy@
.CRT$XIA
OriginalBucket
RtlNtStatusToDosError
y"h,a@
?8?Q?[?t?
<H=a=o={=
111019184142Z
TYPECODE
9K9c9i9n9
UuidToString failed
minidump.mdmp
OpenEventW
CKernelReport::EnableFullKernelDump
:5:?:K:S:X:n:w:
0(0/0S0k0q0
0+080\0Q1
mscorsvr.dll
ResetEvent
GetSidSubAuthority
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
;'<P<U<j<p<u<
UtilGetTempDirPath failed
CKernelReportDataCollection::GetSystemData
BuildString
56BI=
5/5J5O5
FileDescription
%Microsoft Windows Production PCA 2011
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)
717t7y7
DeleteLiveMiniDumps
"$$$\
CKernelReport::CheckAndDeleteLiveMemoryDump
:X;d;j;q;z;
Unable to get the path for the file
;3;>;C;T;h;
RegDeleteKeyA
2 2L2W2\2o2
Home Edition
\goLf
5-5B5I5X5]5
4(5/5;5Z5r5
wil::mutex_t<class wil::details::unique_storage<struct wil::details::resource_policy<void *,void (__stdcall*)(void *),&void __stdcall wil::details::CloseHandle(void *),struct wistd::integral_constant<unsigned int,0>,void *,0,std::nullptr_t> >,struct wil::err_returncode_policy>::acquire
8 9b9
Microsoft Corporation1
CKernelReportDataCollection::WriteRegistryKeyXML
TTBL\
;/;5;i;o;
_NT_SYMBOL_PATH
ErrorPort
nWaitOnSnapshot
RtlSubscribeWnfStateChangeNotification
.mdref
0f1m1z1
Reserved.PlatformSigned
NtPowerInformation
6I6N6n6s6
3 3'32383O3h3n3{3
ntdll.dll
FailSnapshotDumper
n_[;l
Falling back to non-reflected dump for reflection request
onecore\windows\feedback\core\werfault\kernel\crashsettings.cpp
;C<l<
DbgPrint
Failed to create the file %ws for write
AvailableKernel
WER/CrashAPI:%u: ERROR Invalid args
WerpSetEventName
InitializeCriticalSection
SetThreadPriority
MoAutoVerifier
win:Informational
Microsoft Time-Stamp PCA 2010
2-323h3m3|3
3&3V3d3i3
CriticalSection
Thales TSS ESN:FC41-4BD4-D2201%0#
d2A)E
DriverStoreGetObjectProperty for DEVPKEY_DriverPackage_DriverDate failed
!!.12
==66v
VhX.@
6)7I7P7~7
wil::details::CloseHandle
WAIT_NODE
3M4p4
6!6'6,6C6
5666h
r8IIL:Z-
?0?W?]?
=P=`=
HSAZM
f97t_
_}vut
>{pp@+
AutoVerifierTimeDuration
?3?8?R?o?
WER/CrashAPI:%u: ERROR Unable to get NtWow64QueryInformationProcess64
GetNativeSystemInfo
%SystemRoot%\MEMORY.DMP
BuildBranch
"99u09:u,
CKernelReport::SendReport
RegQueryValueEx failed
8?8M8t8
Snapshot dumper failed to prepare: HRESULT %08X.
20ESt
WerpTraceSnapshotStatistics
CKernelReport::ConvertLiveDumpAndReport
8)fs)
<security>
180823202702Z
InPageError
ConvertSidToStringSidW
AllowTelemetry_PolicyManager
f9>u+QV
GetTickCount64
BugCheckParameter1
<?<N<S<c<
>;>u>
??0exception@@QAE@ABV0@@Z
HKEY_USERS\
:#:_:
CRIMx,
383=3M3h3
QueueSizeMaxPercentFreeDisk
memmove_s
WWWWWWW
KEYW8
ExceptionStatusCode
.rdata$zETW9
api-ms-win-core-delayload-l1-1-0.dll
0&040B0P0^0l0z0
ext-ms-win-ntuser-windowstation-l1-1-2
.(gM\
Wh0'@
GetWindowsDirectory failed
_HANGREP_PKGFULLNAME
191E1K1U1a1i1n1
;A;M;
t%s\FullLiveKernelReports\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\MemoryDiagnostic
0V1[1
LocalCompression
7@_^]
/-{cne:
686=6
>U?[?n?
<V<\<}<
api-ms-win-core-file-l1-2-0.dll
t!PQQ
StringCchCopy failed
Invalid number of command line params passed. Params passed: %d
tDDDDgwx
Sprintf Failed
4SVWj
F0PSht
GetSidSubAuthorityCount
100701213655Z
D$ Pj@V
sfc_os.dll
4<4r4
WerpTraceAuxMemDumpStatistics
=$=G=O=U=e=
t2`Q,
t/9\$
TerminateProcess
(0x%x): %s
Wj Wj
CollectCrossProcessDumps failed: 0x%x
5Q5Z5o5
=%=;=@=Q=e=j={=
??A0[[^L}}
%u.%u
6&6.636W6^6
9,9}9
\$h<B
6@6{6
HKEY_CURRENT_CONFIG\
~^}Q{
3/4?4F4O4V4]4d4k4r4y4
GeoId
<:<Q<{<
GetEnvironmentVariableW
/>
GetPackageFamilyName
:4:]:b:z:
Server
WerCreateReport failed
SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults\Queue
SetupDiDestroyDeviceInfoList
Invalid number of command line params. Params expected %d, passed: %d
636>6E6
:);M;j;
FreeVolumeSpaceMB
CompareStringW
GetUserObjectInformationW
WerReflectedProcessCleanup
TelemetryPermission-AllowDisable
WerpAddMemoryBlock
QRPhT
<HARDWAREID>
ext-ms-win-ntuser-window-l1-1-4
Microsoft Windows0
Debugger Config
RtlSecondsSince1970ToTime
2F)=G)}
Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
>'>,>f>
626V6[6
0>1C1[1
Could not collect xproc for reflection: 0x%x
?y'kk]&
X)|O#%H
1C2I2Z2y2~2
9%969F9
6+606N6u6~6
CollectCrossProcessModuleDumps failed: 0x%x
StackHash12_%03x
.text$x
HKEY_LOCAL_MACHINE\
CreateMutexW
R!s4Z
j>Xj<f
_wtoi
WER/CrashAPI:%u: ERROR StringCchCopy failed with 0x%x
%02d-%02d-%04d
api-ms-win-core-processenvironment-l1-1-0.dll
Sprintf failed for pbValData
SetFileAttributesW
AppRecorder
dc.xpminidump
ReserveMachineQueueDirectory failed: 0x%x
UuidCreate failed
= =Q=a=f=y=
1K1p1u1
CloseThreadWaitChainSession
XYYYF+
.xdata$x
Minidump
Copy failed for string into live kernel report
CryptCATAdminAcquireContext
WER/CrashAPI:%u: ERROR No 32 PEB for process
GetModuleHandleW
:!:S:X:i:y:
2"3=3B3y3
&<>'"
Could not collect dump for reflection cross process: 0x%x
WEVTh
:*:@:E:V:
api-ms-win-core-registry-l1-1-0.dll
161;1@1T1Z1_1n1s1
<OSNAME>%ls %ls</OSNAME>
:9;P;{;
CDumpProcessor::MoveDumpFile::<lambda_94e7710bac7d12442c412180796b42fd>::operator ()
]c[vc
939O9T9`9r9
.giats
<2<=<O<W<\<a<
kernelbase.dll
?U?l?w?|?
.rsrc
WerpSetReportFlags
Rh$c@
<;<F<m<r<x<}<
ffefe
8*8H8\8a8f8v8
>!-+-N
stopcode
000@0\0`0|0
dSubmission ID
7+898>8W8
3qqq!PJ
ext-ms-win-ntuser-window-l1-1-0
WAIT_BLOCKINGTHREAD
dbghelp.dll
EVENT_PROCESSTERMINATION_SELF
'@ Tk
Whp_@
PrintRegKeyXML failed
gWaitOnStart
OriginalFilename
CallReturnType
QSVWj!^
CreateMutex failed
8[8h8u8}8
- Watson request dump: %08X.
BCryptCreateHash
7]7i7w7|7
BugCheckParameter4
full_dump=Any;fulldump=Any
FileTimeToSystemTime
PKGFULLNAME
9DGGE
AvI&c\
203@3L3l3x3
clr.dll
\$HPW
StringCchPrintf failed
$Microsoft Ireland Operations Limited1
;[<`<
h~yxxxsts
full_dump=AskKernel;full_dump=AvailableKernel;full_dump=Any;fulldump=AskKernel;fulldump=AvailableKernel;fulldump=Any
\SystemRoot\
WerAppRecorderNonResponsive
SERVERROLES
1>2v2}2
full-%s
:2:?:D:a:z:
level="asInvoker"
VhL_@
757K7T7[7
: :%:T:^:r:w:
InstallRoot
\Device\IPT
5+505K5c5h5~5
5$545S5X5v5
040:0N0S0
Software\Microsoft\Windows\Windows Error Reporting\Debug
j,h S@
Y__^[
;';-;2;V;f;n;s;
>'>W>]>n>
No dump was present
4)4O4
QQSh0T@
:+k:M
7>7V7b7x7
='=R=[=p=
NtUpdateWnfStateData
9'`@F
uU9_,uP
eyypL
>&>+>`>u>z>
<PRODUCTTYPE>%u</PRODUCTTYPE>
ProcessId
CloseHandle
0c0j0z0
>+>p>
@.reloc
ExtractBugCheckInfo failed
"##$33355566T
QueryDosDeviceW
internal\sdk\inc\wil/Staging.h
9Y9`9r99:>:O:a:f:v:
FreeSid
IsTest
ARM64
0x%08X
e{imA
Web Server
z.9Wv
)0/0a0g0
D$(SVW
CallReturnModName
?<?K?b?h?
_purecall
>k>p>
Kccc3
GetProcessIoCounters
20190307093423Z
CreateThreadpoolWait
GetSystemTimeAsFileTime
7hh=@
tah N
api-ms-win-eventlog-legacy-l1-1-0.dll
Invalid process id was passed
3$3)3
Software\Policies\Microsoft\Windows\Windows Error Reporting
Vh`X@
__p__fmode
RegEnumValueW
NtOpenEvent
CLiveDumpProcessor::CreateLiveMiniDumpFile
4/4A4H4S4X4v4
QSVWh
CoGetMalloc
Application Timestamp
<h8q@
Invalid params
GetKernelObjectSecurity
3-343_3n3u3x4
/>
Sprintf failed for bug check string
C Pj3
t?9s,u:
<5<E<J<[<v<
tI9^TuD9
8}""Mu
>A>N>T>Y>i>x>
\Device\Mup\
2!3<3E3L3n3y3
Revision
wil::details_abi::SemaphoreValue::TryGetPointer
9"92979N9
ConvertDumpAndReport failed
<6<L<Q<
0B0M0V0[0p0
*DFDE&
03080J0P0U0l0
StackTrace
VyqpB
Read queued report: report UUID: %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x
`08R[
SetUnhandledExceptionFilter
MEMORYDIAGNOSTIC
}p'>q
=5=;=@=Z=e=j={=
2&282_2
Failed to read settings for MiniDumpDir
</asmv3:application>
api-ms-win-core-file-l2-1-0.dll
(TransitionMU)
atv(W
\registry\machine\
?*?F?X?^?o?
GetSystemDefaultLangID
!-./3
WerpSetDynamicParameter
dc.xpmoddata
Pj$h<
RtlFreeHeap
.text
IntegratorReportId
pL%pL
Version
3/3d3
6;6@6g6l6
%d.%d.%[^.].%[^.].%s
PARAMETERS
PicFreeFileInfo
.rdata$brc
8+888S8f8r8
:(;w;
CorporateWerUploadOnFreeNetworksOnly
MSFTInternal
CLiveDumpProcessor::CompleteFullLiveReport
;'<:<?<\<x<
PSVWQ
0%00050L0_0k0u0z0
Global\WerKernelVerticalConvertingLiveDump
PageHeapDllRangeEnd
ICW{ug
WAITINGONAPPVER
WerpAuxmdHashVaRanges
;+;0;@;u;
api-ms-win-security-provider-l1-1-0.dll
1$12181=1I1O1T1j1v1
xajD^V
<SERVICE>
5.5:5?5
</HARDWAREID>
CorruptedFilePath
S0`0e0
APPSTAMP
9::U:`:q:~:
Vhx#@
*f8Q)57H
MinidumpsCount
.idata$4
7*7P7e7j7
AddBugCheckSignaturesToReport failed
<2<=<B<
777k7
CKernelReportDataCollection::GetDriverInformationFromRegistry
"#$$33555666
xxxxzz
%Z@!Z
%sDrivers\%s.sys
CryptAcquireContext failed
<,<8<U<a<
L$(Qj
Found %u x86 processes for xproc module: %s
GetTokenInformation
@_^[]
.+Y[0
?#?@?
zzz:r
2y2~2
IDATt
WerpGetStorePath
__dllonexit
1k2p2
uK~a]
Minidumpdir not set
9@:E:b:r:w:
WerpReportCancel
setupapi.dll
RegEnumKeyExW
OpenMutexW
MoAppCrash
GetStringTypeExW
2J3O3`3
&
RtlSetThreadErrorMode
]?`}]a
RESTRICTEDHASH
Microsoft.Windows.WindowsErrorReporting
printf
InitializeSecurityDescriptor
api-ms-win-core-com-l1-1-0.dll
L$ Wj
718z8
t$(SV
10.0.17763.379 (WinBuild.160101.0800)
Package Full Name
QRPh4
CDumpProcessor::CreateMiniDumpFile
C-R97
<#<c<w<|<
<"<'<J<O<~<
processorArchitecture="x86"
, gv#
0,//Q.]
CallReturnRegionSize
zzz3w
6'7,7V7[7
wer.dll
Microsoft Corporation1-0+
8PAGEuP
STACKHASH
Thread
CKernelReport::LoadQueuedReports
$SVWPh
WerReportAddFile
9F9c9m9
Application Name
91:<:A:~:
%s\%s
LoadQueuedReports failed
CreateEventW
GetFileVersionInfoExW
D$Tj@P
QueryTraceW
6#7(787R7Y7d7k7
6#6u6
</PRODUCTNAME>
RegSetValueEx failed
SetLastError
No shared mem handle or process id was passed
WER/CrashAPI:%u: ERROR Unable to get NtWow64ReadVirtualMemory64
?/?4?x?
.rsrc$01
SVWPh
~\<P]
808Z8^8b8f8j8n8r8v8z8~8
Richz
525J5u5z5
VhXv@
:f;8u
Ph0'@
DebugBreak
PowerSettingUnregisterNotification
WerpReserveMachineQueueReportDir
</INFVERSION>
SystemErrorReporting
Vh(x@
VhPb@
TraceFlags
FailingFunction
DC.CustomDump
4B5P5
RegDeleteValueW
j?,b!
>F?\?a?~?
v(hX!@
.idata
ole32
\KernelObjects\SystemErrorPortReady
&P/70
?!?8?A?T?j?s?
3'343?3I3]3b3
K32EnumProcessModules
505H5`5x5
1xaH9\c
=L=Z=i={=
7&7-797G7R7b7v7|7
PageHeapSizeRangeStart
5L5Q5
Reflection
CRASH_ON_LAUNCH
MinFreeDiskSpace
RegQueryInfoKey failed
353<3R3
Is64Bit
PPPPf
Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users
CLiveDumpProcessor::SubmitMiniLiveReport
ControlType
memory.hdmp
VirtualAlloc
policymanager.dll
GetSecurityDescriptorDacl
;hlY@
5%5/5;5C5H5U5a5i5n5
^>zmT
api-ms-win-core-registry-l2-1-0.dll
Software\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules
WER/CrashAPI:%u: ERROR Invalid arguments
<FILENAME>
?'?u?z?
PSSSSSSSj
|$,10ESt
9*:h:z:
NO_PACKAGE
VhX*@
_CxxThrowException
!X&XUm
ModuleNameLength
LoggingDisabled
2#2(282a2
DisableDeviceDelete
IsWindow
ArchiveFolderCountLimit
?'?2?;?@?P?{?
849^9d9u9
878>8
InitializeSRWLock
02080I0~0
GetThreadDesktop
LeaveCriticalSection
lRYR\
2"2=2P2U2e2u2}2
3t4z4
_HANGREP_XPROC_PKGRELAPPID
C<YBJ?
Access denied for the event %ws
VirtualQueryEx
ext-ms-win-setupapi-classinstallers-l1-1-0.dll
Disabled
PageHeapTargetDlls
GetFinalPathNameByHandleW
SShPA@
CreateLiveMiniDumpFile failed
BugCheckParameter3
5"5*5;5H5]5b5p5v5{5
Microsoft Corporation. All rights reserved.
Reg failed to initialize
y1Qj0h8c@
PssQuerySnapshot
.?AVexception@@
ext-ms-win-ntuser-window-l1-1-3
ext-ms-win-kernel32-package-l1-1-2
Unable to create the folder %ws
Arbitrary XProc
name="Microsoft.Windows.Feedback.Watson"
_controlfp
.text$yd
Communications Server
PageHeapFlags
tIVWS
t$,SP
TTBL(
4 4E4X4]4z4
CMachineCrashSettings::LoadSettings
Qo6pi
User file
WerpSetTelemetryAppParams
ApplicationRecorder
t(ht;@
CreateDirectoryW
0&090W0i0
D$lSP
=a>n>s>
5G5q5{5
=0=F=
VhHo@
858:8f8
liveDumpProcessor initialization failed
WER/CrashAPI:%u: ERROR WerpNtWow64QueryInformationProcess64 failed with status 0x%x
api-ms-win-core-localization-l1-2-0.dll
2,2i2
CabArchiveSeparate
>,>F>U>c>h>~>F?V?i?}?
<&=-=6=
Sprintf failed while closing the xml node name
Ph\0@
<!)))
8*828=8E8P8X8c8k8v8~8
Ph8@@
4A5]5c5|5
PolicyManager_FreeGetPolicyData
%s.xml
HangrepAPI2WERSVC
wil::details_abi::ProcessLocalStorageData<struct wil::details_abi::ProcessLocalData>::MakeAndInitialize
isspace
dc.expmodmini
wil::details_abi::SemaphoreValue::CreateFromValueInternal
Stopped responding and was closed
CrashDumpEnabled
<NAME>%s</NAME>
CurrentType
- Snapshot status: %08X.
Thread32Next
AppPath
WER/CrashAPI:%u: ERROR NtQueryInformationProcess failed with status 0x%x
<INFNAME>
OPCO0
;.;K;
353;3d3s3x3
<H<s<
Failed to set reporting mode to FALSE
ext-ms-win-imm-l1-1-0.dll
IptNumTries
DontSendAdditionalData
TargetModOffset
QSh8 @
ImageExecutionOptions
TargetState
AcquireSRWLockExclusive
.imrsiv
:%:<:G:h:u:
NODE_ID
44484D4d4l4x4
TTBL<
Invalid dump file %ws
%s:%s@%s
1-131|1
>)>F>
03090>0w0|0
ReflectDebugger
- Process WER flags: %08X.
- Dumper status: %08X.
<ARCHITECTURE>%u</ARCHITECTURE>
LegalCopyright
AutoVerifierBucketID
CKernelReportDataCollection::AddMarkerFileData
WerReportSetParameter
PWh$c@
OpenProcess failed for initiating pid %d (0x%x)
;K;b;$<
@aV^p
!(7Kx
2*2/2K2P2e2
coreclr.dll
CrashTimeFromStart
VirtualQuery
1#1]1b1
WER/CrashAPI:%u: ERROR ReadProcessMemory failed while trying to read Peb32BaseAddress
onecore\windows\feedback\core\werfault\kernel\kerneldatacollection.cpp
060I0O0T0
1.1M1U1m1
UserMessage
_^[Y]
L$4_^[3
WAIT_TYPE
PRVA`
M0K0I
YZ^dqa
PVj9Wj
8j\hP`@
type="win32"
iytttZrW
DefaultConsent
ntdll
g.e|3
<CLASSGUID>
9G9q9w9
3(3D3H3T3`3
1Q1g1~1
WerpSetTelemetryKernelParams
PhPd@
VhLj@
u!hL @
5/5A5L5\5a5|5
9w t,
\T1rv?t
<dpiAware>true</dpiAware>
3%3X3l3~3
yBWhx
=#=(=7=K=Q=V=i=t=
.rdata$zzzdbg
_vsnprintf_s
191123202702Z0
<ERROR>Failed at Step: %s with error 0x%x</ERROR>
CFG_VIOLATION
8&868<8A8l8
6S6e6x6
LoadStringW
Wdrvstore.dll
SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-OCA-IPT
GetDriveTypeW
realloc
.rdata
Process32NextW
AppRecorderEnabled
Abandoning reflection due to server request
1?1u1
api-ms-win-core-errorhandling-l1-1-0.dll
<&<K=
RegisterEventSourceW
GetThreadWaitChain
RegDeleteKeyW
SafeCopyMemory
QueryFullProcessImageNameW
OpenSCManagerW
Vh\"@
wrMoOhg
Hang Type
EditionID
GetSystemDirectory failed
E5vv4
wcsstr
BCryptFinishHash
KernelDump failed: 0x%x
CKernelReportDataCollection::GetDeviceData
2!2Q2X2
FP#FT;
OpenProcess failed for faulting pid %d (0x%x)
IsWow64Process
l}~In
SYSTEM\CurrentControlSet\Control\CrashControl
BypassPowerThrottling
!RE`-
1(1B1Y1p1|1
%Microsoft Windows Production PCA 20110
6*6Q6V6
wil::details_abi::ProcessLocalStorageData<struct wil::details_abi::ProcessLocalData>::Acquire
EnsureKernelQueueRegkeyExists returned a NULL key handle, failing
0Q1{1
CryptAcquireContext with CRYPT_NEWKEYSET failed
WaitForSingleObject
RtlInitUnicodeString
( ' (
YYf97tZ
;YTs]
DebugApplications
>C>I>
txh<4@
dc.noreflect
WER/CrashAPI:%u: ERROR NtWow64ReadVirtualMemory64 failed with 0x%x
_NT_SOURCE_PATH
FileTimeToLocalTime failed
k?DkZ
ForceUserModeCabCollection
OpenProcessToken
\SVW3
Software\Microsoft\Windows\Windows Error Reporting
2)32373R3W3~3
;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;
MaxArchiveCount
D$$Pj
.ib:?
onecore\windows\feedback\core\werfault\user\userfault.cpp
GetModuleFileNameA
No dump file to get header from
yJh4^@
<%=3=?=j=w=
0 1O1
6A6F6e6j6
1-121P1x1}1
onecore\windows\feedback\core\werfault\exe\standard\werfaultexemain.cpp
StartTraceW
<#<T<g<
NtWow64QueryInformationProcess64
:%:*:H:a:m:
</REG_VALUE>
Out of memory.
I!qnW
UtilGetFileInfo failed
api-ms-win-core-sysinfo-l1-1-0.dll
0*1/1w1|1
FileTimeToSystemTime failed
WIN://SYSAPPID
6&656P6j6w6
IptTraceDurationInDays
ReportId
Snapshot dumper deactivated.
memcpy
u0WSh$k@
pvccvg
.idata$3
j2VVS
%u_%u_%u
PSj h
Invalid
6Q7[7`7
261019185142Z0
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
Microsoft Time-Stamp service
</DRIVER>
;';,;W;z;
=B(*N
Failed to save the settings for the path
QSVWhL(@
#(((0:
.didat$5
u$h`T@
_HANGREP_XPROC_PKGFULLNAME
L$(Qh@l@
File does not exist: %ws
GetPackageFullName
^pEie
SetErrorMode
RtlDllShutdownInProgress
)FrC~
; ;(;<;D;L;p;
WER-%u-%u.sysdata.xml
api-ms-win-core-processtopology-obsolete-l1-1-0.dll
UploadOnFreeNetworksOnly
tQf;4
;r;y;
?%?,?I?f?
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
|7#PV
ForceQueue
D$0PS
"Microsoft Window
WerpSetTelemetryKernelParams failed
SHGetFolderPathW
aSystem
VhHn@
rundll32.exe
sos.dll
RegGetKeySecurity
ProgIDFromCLSID
P@o_/<
111<1A1}1
api-ms-win-downlevel-shlwapi-l2-1-1.dll
ExpandEnvironmentStringsW
D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)
CDumpProcessor::ProcessDump
_HANGREP_PKGRELAPPID
</DEVICE>
ext-ms-win-kernel32-package-l1-1-0.dll
PWh(|@
SearchPathW
UU1??
SetupDiGetDevicePropertyW
werui.dll
LEVL@
__setusermatherr
0 1(191[1
??0exception@@QAE@XZ
1!1:1@1E1c1h1
y%h0`@
{c\\]Y
HeapFree
%s/%x
_except_handler4_common
1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
2Local\SM0:%d:%d:%hs
ext-ms-win-ntuser-windowstation-l1-1-1
GetTickCount
2!2(2F2M2x2
GA,%
>+>B>\>
838>8D8I8Y8_8d8
9!:':8:]:
0 0(00080@0H0P0X0`0h0p0x0
2<Ze8
5iXzG
6 6@6X6p6
windows8
</EXTENSIONSUBMISSIONIDS>
rI"(K~~8b9
; ;j;{;
8f;:u
.CRT$XIY
Local\WERReportingForProcess%u
LLCv||
uuuzgggaaaa1SSS
Out of cross process pid space
3(4.4K4s4y4
83989N9j9t9
System\CurrentControlSet\Control\CrashControl\FullLiveKernelReports
0$2/2?2D2Q2d2
/>
:0:I:P:[:b:m:t:
_NT_DEBUG_LOG_FILE_APPEND
FULLHASH
OutOfProcessExceptionEventCallback
SetConsoleCtrlHandler
~8PAGEuM
WEVT_TEMPLATE
ResultLoggingCallback failure. Could not Sprintf.
9s0t2
</DRIVERS>
3%323N3f3q3
QueryServiceConfigW
*<tYE
DumpFile
8-9=9
8 8A8K8|8
QueryInterface failed for IDebugControl
3/3b3
%s\%s\%u-%u.etl
DataCenter Server
MultiByteToWideChar
=H=Q=c=w=|=
"#$$333555S
:7;=;N;S;e;
WWWhH
PQRj^h
Application Version
Additional Hang Signature 4
hIDATg
sysdata.xml
onecore\shell\lib\calleridentity\calleridentity.cpp
api-ms-win-core-memory-l1-1-0.dll
WVhHn@
EventSetInformation
Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
F #F$;
CKernelReport::CheckAndDeleteMemoryDump
LiveReportFlushInterval
onecore\windows\feedback\core\werfault\kernel\kernelfault.cpp
CUU666
Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a
RtlCompareUnicodeString
iswspace
VERSION
GetFileVersionInfoSizeExW
<SUBMISSIONID>
GetShellWindow
k-RIz
FDR_FLUSH_MESSAGE
OutputDebugStringW
CaptureSnapshot
AvailableFull
t$(Sh
424f4}4
5A6V6[6
CKernelReportDataCollection::GetSubmissionId
<requestedPrivileges>
ReturnHr
C*7ph^
ckhkkkoootttw
<DATA>%s</DATA>
BDEWt1
%s\system32\cofire.exe
="=1=^={=
advapi32
WINTRUST.dll
Additional Hang Signature 1
uiAccess="false"
6"7a7f7
t$T#D$ 3
-tZ[)
VQPWV
A1I5E
.rdata$sxdata
EnableFullKernelDump: Setting CrashDumpEnabled to %u
D$<PWWW
VWj43
aMwQRUT{<
9 :%:6:[:`:v:
oleaut32
api-ms-win-core-libraryloader-l1-2-1.dll
y"hhx@
StrStrIW
4 4$4(4,404@4D4H4L4P4X4`4h4p4|4
<INFDATE>
=-=a=n=
<PRODUCTNAME>
ext-ms-win-ntuser-message-l1-1-3
pps7tuxf
Additional Hang Signature 7
WriteDumpFileWide failed
2>Q1q?C.z{
TextHash12_%03x
CROSS_PROC
ApiSetQueryApiSetPresence
CodeSite
808<8\8h8
:9;B;{;
k KLZ?|
CreateProcessW
9F9K9x9}9
System\CurrentControlSet\Control\CrashControl
CallReturnState
</dependentAssembly>
|'32c
142?2D2M2e2v2
Invalid path
DUMPu
UuidToStringW
,+/-I
Failed to load livedump settings
&''1??
$`2X`F
RegEnumKeyEx failed
D$ 90t
131J1O1`1
verifier.dll
1#1:1\1o1t1
ComActivation
<DEVICES>
3-3b3i3v3
0"131Y1`1
:&:<:f:
NoHeap
api-ms-win-security-base-l1-1-0.dll
?/?4???I?Y?b?r?
?)?f?}?
SOFTWARE\Microsoft\SQMClient
dc.xpmemdump
.CRT$XCAA
api-ms-win-core-sysinfo-l1-2-0.dll
yoh`W@
WerpAuxmdDumpProcessImages
G0PjXV
CLiveDumpProcessor::CancelMiniLiveReport
WerReportCloseHandle
8Y9o9v9
ConvertLiveDumpAndReport failed
DisableArchive
L$4^3
ReleaseSRWLockShared
5+505a5k5
ext-ms-win-ntuser-uicontext-ext-l1-1-0.dll
</VERSION>
SetupDiGetClassDevs
9M9W9]9n9
=3=y=
Sh,7@
<.<I<R<d<
VerifierGetInfoForException
ext-ms-win-ntuser-windowstation-l1-1-0.dll
GetProductInfo failed
27-J/ B
CreateThread
Driververifier
9X:e:j:
.00cfg
2(363;3S3p3
Attempting to reflect reporting process!
_wcsicmp
~ux~k
D$ j P
FreeLibrary
CryptAcquireContextW
Failed to create path
SSShX
CreateEvent failed for live conversion
dbgeng.dll
Ph(1@
FailFast
CloseThreadpoolWait
2#2P2U2h2y2
SendReport failed for %ws
Owners
WER/CrashAPI:%u: ERROR WerpNtWow64ReadVirtualMemory64 failed while trying to read PebBaseAddress
Could not delete ReportId %ws tree
51565F5Y5`5j5~5
FullLiveKernelReports
;#<(<8<[<`<s<x<
http://www.microsoft.com/windows0
full_dump
win:WDIDiag
F0#F4;
KCW;"##$$333<
? ?,?L?X?`?
AutoVerifierCount
Gh< @
CompanyName
=_>I?
d%s\FullLiveKernelReports\%s\%s
api-ms-win-shell-shellfolders-l1-1-0.dll
OSVersionInformation
CKernelReport::ReportAllLiveReports
=VVVVVVV
GetCurrentThreadId
coreclr
yQhHq@
5 5(545T5`5h5
5#5=5I5m5r5
WaitForThreadpoolTimerCallbacks
StopTraceW
No minidump file set
WriteDriverRecord failed
SSSSSS
;E<L<j<q<
8!8;8F8K8a8x8
Drivers\
;3;9;J;t;y;
<8<I<
5$5;5Q5d5x5
y"h u@
ForceEtw
Socket
GetDeviceData
=d=p=
j/j0Q
Add to head failed
Failed to save the settings
ExcludedApplications
GetMappedFileNameW
CryptCATAdminReleaseContext
X!X?9ap
D$xSV
GetProcessHeap
VerifierFlags
LPEShiftRegister
Sleep
WE0(###'b
,-/2K
;#;7;<;h;q;v;
;";K;V;[;t;
ext-ms-win-ntuser-message-l1-1-2
0VWjFXjHf
MoveFileEx failed
7!7<7V7c7p7~7
1$2G2m2
:+;0;@;
080q0
(TransitionUM)
CKernelReport::ReportLiveReport
393c3h3
8Y8p8
?)?T?w?
AskKernel
<&<F<K<s<x<
SOFTWARE\Microsoft\Windows NT\CurrentVersion
FreeLibraryAndExitThread
Wh|-@
GetUserDefaultUILanguage
WerpSetIptEnabled failed
GetDiskFreeSpaceExW
272Y2w2
rpcrt4
</security>
%d-AppRecorderEnabled
9)9<9F9T9]9t9
NON_SYSTEM_FILE_CORRUPTED
Microsoft-Windows-WER-Diag/Operational
AppRecorderVersion
=j Xj
>[?a?p?
'
)Microsoft Root Certificate Authority 20100
UNKNOWN
> >(>4>T>\>d>p>
RegOpenKeyExW
CLiveDumpSettings::LoadSettings
ReleaseSemaphore
<assemblyIdentity
wcsncpy_s
20190308093423Z0t0:
Phtw@
p/GVv
<:<?<\<d<s<
1#2(282^2g2l2|2
dc.CustomDump
8!8?8U8[8`8z8
0x%08x (0x%08x, 0x%08x, 0x%08x, 0x%08x)
CoUnmarshalInterface
_wcsnicmp
FindFirstFileW
2R3l3
CreateEvent failed
</SYSTEM>
Failed to initialize for FinalDumpFileLocation with error
SetSecurityDescriptorDacl
8C9H9Y9u9
default
HamDisconnectFromServer
Pj/hx+@
42474G4s4
Global\WerKernelVerticalReporting
1I1O1`1
FindNextFileNameW
EVNTx
kernelbase
api-ms-win-core-console-l1-1-0.dll
CloseThreadpoolTimer
GetLongPathNameW
NtQueryEvent
Shp_@
InPageCoFire
NtAlpcSendWaitReceivePort
PRVAl
Found %u native processes for xproc module: %s
?DOO;
ResolveDelayLoadedAPI
8@8T8Y8i8
3S 3?2
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
8#8=8V8[8
_NT_EXECUTABLE_IMAGE_PATH
y(Vhd
t$pVQ
\KernelObjects\HighCommitCondition
PWWWWWW
TempDestination
%s\LiveKernelReports\%s\%s\Busy
APPVER
<?xml version="1.0" encoding="UTF-16"?>
ShipAssert
|hK,_
Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
=">(>
mscorsvr
CryptCATEnumerateCatAttr
CheckTokenMembership
WerpResetTransientImageCacheStatistics
wcsrchr
?H?k?
A problem caused this program to stop interacting with Windows.
ext-ms-win-ntuser-windowstation-l1-1-0
SYSTEM\CurrentControlSet\Control\Session Manager
38=Op
NtResumeProcess
RegQueryInfoKey failed.
WaitForMultipleObjects
;2<K<i<x<
&Qq+~d
MoveAndSecureFile
4-405@5P5c5h5u5
DefaultInstance
5D5I5g5
_NT_DEBUG_LOG_FILE_OPEN
NtFreeVirtualMemory
.didat$7
MaxRetriesForSasRenewal
7#7(7F7V7[7
20190307065803.854Z0
dc.expmoddata
memmove
0%0B0
CKernelReport::WaitForLiveDumpConversion
(caller: %p)
4?4O4c4h4
3T6_6d6
api-ms-win-core-rtlsupport-l1-2-0.dll
<(<-<T<Y<i<
T$TPR
CryptCATAdminEnumCatalogFromHash
Starting kernel vertical - %S
Deleting live kernel dumps failed
PhL0@
_callnewh
5/54595I5a5f5v5
WerpAuxmdFreeCopyBuffer
RPCRT4.dll
hiiiq
OpenProcess
__aee
250701214655Z0|1
WER/CrashAPI:%u: ERROR NtQueryInformationProcess failed with status: 0x%x
DriverStoreGetObjectProperty for DEVPKEY_DriverPackage_DriverFlightIds failed
SendReport failed
VWj@_W
__set_app_type
WaitOnAddress
WerpFreeUnmappedVaRanges
PicRetrieveFileInfo
9M9R9
242t2
(null)
<0<J<O<p<u<
ControlHandlerRoutineInvoked
FindFirstFileNameW
0-0G0L0r0
type="win32"
#/m_HS
>'>.>=>D>u>
RtlImageNtHeaderEx
QueueKernelReport failed
<C<K<Q<a<
IDATx
>0>A>Z>w>|>
10ESt
Small Business Server (restricted)
5.64696
818:8R8Y8h8
DriverStoreGetObjectPropertyW
1=1B1S1
VWh`X@
{HDU64u
040904B0
uhVWh
u$WSQ
4:o/7E
<D=W=b=g=
.rdata$zETW2
UtilLoadDbgEng failed
1)1.1D1_1
WerSubmitReport failed
Failed to query the report id count for %ws.
lsZRRP
CreateFileMappingW
QUERY_ERROR
||tDl
229879+4379540
0W1\1l1
arOi9o
7!7'777X7
ExtraInfo1
D$(PQ
NtQueryInformationThread
6F+&I
AcquireSRWLockShared
swprintf_s
6F6]6b6
WerAddFile failed
889>9C9i9t9~9
/)E>Q
- Post-read calls: %9u.
DontShowUI
##$$$335566
ext-ms-win-wevtapi-eventlog-l1-1-2
545@5I5\5s5
WER/CrashAPI:%u: ERROR ReadProcessMemory failed while trying to read PebBaseAddress
D$`Pj
<#<h<
MinRamAmount
Ph f@
TargetAddress
onecore\windows\feedback\core\werfault\kernel\livedumpprocessor.cpp
Qh@l@
RegisterWaitChainCOMCallback
Embedded
3*3/3M3w3
>8>K>P>
IDATg
WerpCreateIntegratorReportId
Open process failed unexpectedly: 0X%X
ZwUpdateWnfStateData
RpcStringFreeW
xMC;]
VhHI@
&0+0;0W0
%u.%u.%u.%u
ConfigureTelemetryOptInChangeNotification
B;WG "#$$337
2U2Z2j2
SYSTEM\CurrentControlSet\Control\CrashControl\MachineCrash
WER/CrashAPI:%u: ERROR Invalid params
Vh(n@
wMtd!v
OpenDumpFileWide failed for %ws
Sprintf failed for bame and value
Unexpected snapshot status present in the shared data %x
Could not delete busy key
ext-ms-win-imm-l1-1-0
{HDUMPt
Live kernel dump
CreateEvent succeeded for %ws
wcscat_s
4=5B5R5|5
3%4.474<4L4o4t4
tDDDDFVw
PVh`X@
soe}}
j2!Ib
SetEnvironmentVariableW
7N7S7
3"3(3.3L3W3
CreateToolhelp32Snapshot
ReadFile
9,989X9`9l9
- Pre-read calls: %9u.
PowerSettingRegisterNotification
o+k#X
GetThreadUILanguage
4#5(5H5_5d5
RegQueryValueExW
919O9
Software\Microsoft\.NETFramework
Hang Signature
VarFileInfo
Failed to sprintf registry key name
/s-dsA
:$:(:H:d:h:
DriverStoreGetObjectProperty for DEVPKEY_DriverPackage_ClassGuid failed
T$0QQV
PageHeapFaultTimeOut
HRESULT
x>G;~
totk\
PSSSS
api-ms-win-service-management-l2-1-0.dll
3 333x3
mscorwks.dll
aUONV
</requestedPrivileges>
0%060>0T0\0
Software\Policies\Microsoft\Windows\DataCollection
AutoVerifierFlags
Empty path was found for the live kernel location
_vsnwprintf
383\3
ReadProcessMemory
api-ms-win-core-libraryloader-l1-2-0.dll
RtlUnsubscribeWnfNotificationWaitForCompletion
Invalid args
4+H2g
UtilDebugCreateEx failed for IDebugClient4
8/9R9a9n9
Failed to save for FinalDumpFileLocation with error
00000000-0000-0000-0000-000000000000
8@8R8W8u8
4F4Z4
:#:1:<:
RegDeleteTreeW
CreateFileW
8:9L9Q9
=.=j=
XMLEncodeString failed for value
gdi32
WWWhX
YdsY\
CDumpProcessor::ConvertDumpFile::<lambda_78b62c26dc0c8950a86a38810ed592b3>::operator ()
AllocateAndInitializeSid
ElevatedDataCollectionStatus.txt
L$T^[3
BugCheck
<requestedExecutionLevel
\StringFileInfo\%04x%04x\%s
_NT_DEBUGGER_EXTENSION_PATH
SSShH
WerpSetProcessTimelines
%EVENT_PROCESSTERMINATION_CROSSPROCESS
D$ Pj
Vh\u@
Mo2$IJx
4.464K4T4Y4v4
RegGetValueW
Additional Hang Signature 6
CKernelReportDataCollection::XMLEncodeString
</DEVICES>
Module32FirstW
WerpSetIntegratorReportId
WerpPromptUser
9$9J9P9[9f9q9
<OSVER>%u.%u.%u %u.%u</OSVER>
Has |_
FTH_EXCEPTION_OF_INTEREST
>)>2>=>D>V>\>b>h>n>t>{>
X_GJI
Ph\^@
DisableSnapshots
##$#XX[Iy}
;";';=;N;l;
FormatMessageW
6+6B6Y6
/SHARED
CorporateWerUseAuthentication
Sh|t@
BuildSecurityDescriptorW
_wcstoui64
WmiPrvSE.exe
EtwGetTraceLoggerHandle
677?7O7\7v7
Altitude
a,M.cbd
WER/CrashAPI:%u: ERROR OOM
VVVVVVW
CoUninitialize
%u_%u
Sprintf failed while trying to print the node name
<!-- Copyright (c) Microsoft Corporation -->
5"6'626C6H6X6q6v6
user32
EtwGetTraceEnableLevel
51575b5k5p5
2)333?3G3L3n3y3~3
4(4x4
Failed to create the plugins
G?9"!
%s-%d
1$1,1D1H1d1h1
0F0e0
4=4G4[4`4
~HDUMPuG
8%8+808I8k8
DeleteCriticalSection
7$7<7@7P7t7|7
WerpAddRegisteredDataToReport
api-ms-win-core-windowserrorreporting-l1-1-0.dll
<?xml version="1.0" encoding="UTF-16" ?>
dc.OnDemandKdmp
,SVWj
api-ms-win-shcore-obsolete-l1-1-0.dll
Kernel-ProductInfo
WerpForceDeferredCollection
WerpAddTerminationReason
win:Info
AutoApproveOSDumps
RtlCompareMemory
889>9s9
ext-ms-win-ntuser-window-l1-1-2
`.imrsiv
Vh,[@
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
4g4m4r4|4
Module32NextW
default=%s
Attempting to cross-proc reporting process!
WAIT_CHAIN
WindowsNTVersion
DuplicateHandle
7(7-7F7O7g7s7~7
7'7J7O7V7\7
2>2C2f2k2
= =;=T=
Software\Microsoft\Windows\Windows Error Reporting\Hangs
gdiplus
DisableWerUpload
GetFileSize
E899a99:ZnnnZ
2-2:2?2
>(>s>x>
4$404P4X4`4l4
VerifyDrivers=
NtAlpcConnectPort
,o*k0
WaitForThreadpoolWaitCallbacks
D$ SV3
WhL @
WerpGetReportFlags
EqualSid
8b9h9y9
:.:9:G:f:
api-ms-win-service-management-l1-1-0.dll
WerpStitchedMinidumpVmQueryCallback
GetWindowThreadProcessId
949P9\9|9
version
747L7
NdWj,
DumpFileAttributes
DU64u
Pj6hT
:(:8:U:\:a:
373B3I3
Software\Microsoft\Windows\Windows Error Reporting\Plugins\DriverVerifier
Failed to append to buffer
GetThreadPriority
1 1$14181H1L1\1`1p1t1
666;6Z6_6v6{6
GetLengthSid
1(282D2L2
3fAt&!
585H5M5w5
HamPopulateActivityPropertiesByClass
_wtoi64
UserCrashMain
\Device\LanmanRedirector
:7:<:]:
_C9*g
dc.xpmodmem
HangReportError
Vh8J@
Microsoft Corporation1200
Vh(J@
HangrepBgTaskEntryPoint
EnnLqf2
AddMarkerFileDataEx (*.wdf) failed
WriteFile
NtClose
mscorwks
Washington1
<?xml version="1.0" encoding="utf-16"?>
1(161N1S1g1
VirtualFree
9/9j9o9
:0:E:J:a:}:
4#4T4q4}4
BugCheckParameter2
<OSLANGUAGE>%u</OSLANGUAGE>
EnableFullKernelDump: CrashDumpEnabled was %u
toPPPh
Y"*Kd
1A1[1`1
AUXILIARY_PROCESSES
MiniDumpDir
Pj.h\
1*2/2?2a2f2
hLj4h
QueueNoPesterInterval
0!0>0l0
full_dump=AskFull;full_dump=AvailableFull;full_dump=Any;fulldump=AskFull;fulldump=AvailableFull;fulldump=Any
5YJo`0
api-ms-win-core-threadpool-l1-2-0.dll
</DESCRIPTION>
IsServerOS
api-ms-win-core-heap-l2-1-0.dll
api-ms-win-core-processthreads-l1-1-0.dll
RegCreateKeyEx failed
?M#Xa<
9"979k9
?"?(?4?D?M?`?f?l?r?x?~?
S8nRdV
AutoverifierEnabled
5&616<6G6]6n6
Failed to enum the keys for full live kernel event %ws
7E7J7v7
8+868;8K8P8f8
NtQuerySecurityPolicy
?,?7?D?M?T?p?
<<<d<k<
{wlg7
Status
DumpType
QueryOriginalBucket
9$919R9W9g9
6'7C7X7
9V:u:
9%:w:
8;8e8w8
7&8.8=8
:$:):F:Q:V:
ReportEventW
C5rpH
;A;b;g;
8K8T8[8a8z8.939D9V9[9m9
<'=,=<=Y=^=w=|=
;:;E;
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
__wgetmainargs
ReleaseSRWLockExclusive
7$7D7P7p7x7
3'3C3H3X3u3
Architecture
6.646}6
uNPPV
>!?R?
5?5r5
1'1.1_1v1}1
;?<L<
QQShX4@
HSPjH
4>4M4S4d4y4
7;7@7U7f7
02171G1
VWj@3
Failed to copy the dump path in the list
031G1
?/?3?8?>?D?J?P?V?\?b?i?o?u?{?
[%hs(%hs)]
api-ms-win-core-delayload-l1-1-1.dll
d<%s>
QueryPerformanceCounter
WerpHashApplicationParameters
Microsoft-Windows-WER-SystemErrorReporting
CCCC/;
Reason
:B;G;W;n;s;
wil::details::ReleaseMutex
CollectReflectionDump failed with: 0x%x
WWWWWPj!
RtlAdjustPrivilege
Integrator report ID: %ws
999>9\9
CKernelReport::~CKernelReport
Too many kernel faults in the queue: %u
CDumpProcessor::SaveFinalDumpFilePath
3hp=@
0C0H0\0
2#2(282b2g2p2
y%hHm@
151<1R1]1s1}1
msvcrt.dll
%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x
?>@8__ajNeS
StringFileInfo
3kEvM
WVPSV
ext-ms-win-ntuser-message-l1-1-1
WerpSetReportApplicationIdentity
Global\Microsoft.Windows.Setup
dq!lsU
MoAppHangXProc
WerpGetNumFiles
api-ms-win-core-handle-l1-1-0.dll
GetLogicalDriveStringsW
:&:+:9:?:D:[:b:o:
_unloaded
OptInLevel
BCryptHashData
</SYSTEMINFO>
6#6(6N6X6~6
5P6y6
CallReturnModOffset
TargetRegionSize
v|DlLl
262I2e2x2
ALGORITHM
XMLEncodeString failed
QQVhd
WerReportCreate
ProcID
sj:z7x
triagedump.dmp
*.mrk
Failed to load crash settings
CrashedAppName
Microsoft Time-Stamp service0
1f;2u
WerpAddAppCompatData
>A?L?v?
.text$mn
)G_V+5
<MANUFACTURER>
RegSetKeyValueW
Process32FirstW
>6>`>k>
DU64u!
4"4(4-4}4
Could not open key %ws
CKernelReportDataCollection::WriteDriverRecord
HamConnectToServer
publicKeyToken="6595b64144ccf1df"
^IH}D#
<DRIVERS>
5#5N5S5h5
L$|_^[3
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
4T4Z4_4
StackTraceDatabaseSizeInMb
WerpSetReportIsFatal
MiniDumpWriteDump
VhP,@
1+1G1L1]1
WerUIReportHang
2+292F2p2
EventWriteTransfer
WER/CrashAPI:%u: ERROR No PEB for process
;(;5;>;J;P;m;r;|;
1W1h1
;hPb@
1^2k2J3Q3{3&5W5^5z5
?0?~?
ALTITUDE
OpenThread
param1
api-ms-win-security-trustee-l1-1-0.dll
CRYPTSP.dll
=-=3===C=L=Q=
CONTEXT_SWITCHES
Invalid commandline passed
Overwrite
5H5d5j5o5
4#5(585v5
Ph,[@
ext-ms-win-wevtapi-eventlog-l1-1-0
2$242D2I2S2X2
:);6;;;X;u;};
172=2B2v2|2
Thread32First
$Um0&
$Ir(Q(
Fh+w"
~<DUMPuD
.didat$6
GuidToString failed
2?7GT
GetPriorityClass
PRQj$h`
WerpStitchedMinidumpVmPostReadCallback
WerCreateReport returned a NULL report handle, failing
VVVVV
DisableEnterpriseAuthProxy
WerpAddFile failed
t$<WP
ExtraInfo3
<(<0<<<\<d<p<
RtlCreateProcessReflection
TargetType
ImmDisableIME
u&Sh0j@
UuidCreate
IsDebuggerPresent
api-ms-win-core-com-private-l1-1-0.dll
GlobalMemoryStatusEx
,/113
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
Sh\b@
iSHp6
6E7J7}7
.rdata$zETW1
WerVerticalDisabled
PolicyManager_GetPolicy
Invalid command lines passed
2-333
PersistDumpDiskSpaceLimit
</CLASSGUID>
kt:u:
PRVAL
Invalid file '%ws'
MoOsMitigation
Shh7@
9{|vA
QSVWj
8f;9u
323;3D3I3|3
Sh$d@
y/WhX
RaiseFailFastException
GetFileAttributesEx failed for %ws
=&=A=\=w=
api-ms-win-core-processthreads-l1-1-1.dll
8@9g9
2?2P2^2c2
WerUIReportSilentProcessExit
<VERSION>
CorporateWerPortNumber
WAIT_THREAD
4"5.595m5r5
7Z7s7
6*7F7Q7
GetSystemWow64Directory2W
CLiveDumpProcessor::ConvertLiveDump
7#7V7
CKernelReport::RestoreDumpSettings
515E5e5
{{y~A
;%;*;F;K;`;u;
5I5V5j5y5
LogFileMode
2"2'272[2f2y2
8-8Y8d8
StringCchCat failed
.CRT$XCA
051X1
CryptReleaseContext
Additional Hang Signature 5
Back Office Server
*.wdf
NtQueryInformationProcess
?!?&?F?O?T?i?}?
4'444=4F4O4X4s4
K%ffg
DPAGEt*h
$ B6
api-ms-win-eventing-legacy-l1-1-0.dll
SetThreadpoolTimer
=+=W=b=g=}=
<#=9=Q=s=
dllhost.exe
ExtractBootId failed
Windows Problem Reporting
??1type_info@@UAE@XZ
:#;);.;:;@;E;Q;W;\;
UnhandledExceptionFilter
Failed live report. Path %ws
919@9x9
>#>9>>>S>e>j>
\KernelObjects\MemoryErrors
,pFJy
ProcessDump failed
5=5F5S5
F,VhP\B
GetWindowsDirectoryW
WaitOnCoreHang
PSSSSSSSjSj
EventUnregister
DllLl
> >G>T>Y>w>
PhL@@
u(f98t
wcscpy_s
U0S0Q
Q!C/C-D
?'?1?6?Q?
GetVersionExW
RtlNtStatusToDosErrorNoTeb
"#$$33354466T
*** Time for dump conversion (ms): %u
Cannot construct mod name signature.
>#>B>T>`>z>
MapViewOfFile
<"<'<p<v<{<
DC.NoSnapshot
MemoryDump
GetProcessWindowStation
<DEVICE>
Initialize failed for CRASH_DUMP_ENABLED_NEW
SetupDiGetClassDevsW
GetSystemDirectoryW
> >&>+>I>m>s>x>
DisableDiagnosticDataViewer
<asmv3:application>
6(676j6
VS_VERSION_INFO
<DESCRIPTION>
Edition
CreateWellKnownSid
api-ms-win-core-synch-l1-2-0.dll
api-ms-win-core-processsnapshot-l1-1-0.dll
R%I=V
6>6T6t6
IsValidDumpFile
8"868A8Q8
<R<\<a<t<
<7<Y<d<i<
No shared mem handle passed
.CRT$XCZ
faultrep.dll
Vh f@
TEMPP
aK-0t
X,bhh(
NtWow64ReadVirtualMemory64
RegEnumValue failed
:!:L:
e}2m[
HKEY_CURRENT_USER\
CCrashControlSettings::LoadSettings
9t$,t)=
t#VVj
ccv{b
Software\Microsoft\Windows\Windows Error Reporting\Plugins\Autoverifier
%$#bc
%0I64x
CheckRemoteDebuggerPresent
Exception
0000da39a3ee5e6b4b0d3255bfef95601890afd80709
ZwQueryWnfStateNameInformation
WerReportSubmit
D$(Pj
TargetModName
kernel32
<EXTENSIONSUBMISSIONIDS>
OutOfProcessExceptionEventDebuggerLaunchCallback
=.=8=I=r=
ReportAllLiveReports failed
<%<+<0<@<F<K<W<b<g<
3(3,3<3@3P3T3d3h3x3|3
WerpFreeString
7=7B7W7o7z7
1%1_1
Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
false
.data
PPjLj
=$=4=G=N=S=d={=
api-ms-win-core-shlwapi-obsolete-l1-1-0.dll
:$:D:L:X:x:
CallReturnInstructionBytesLength
{C712AF3D-ED1E-46A9-B843-E9014D29CAEE}
UITHREADSTACKHASH
Microsoft-Windows-WER-Diag
9&999M9T9g9n9
WerpAuxmdFree
;5;Z;
Vh`%@
050:0J0
959;9@9W9b9g9
GetSubmissionId (extension) failed
IptOption
LogPath
Microsoft.MicrosoftEdge_8wekyb3d8bbwe
~Invalid number of command line params passed
% "#$$$3355666=
.Py>o
memset
>?>T>]>b>r>
[%hs]
CallContext:[%hs]
@IJg^u
>X?e?
MODULEOFFSET_SELEXCL
TargetProtect
PPPh`?@
CKernelReport::AddUnsentReportsToWERQueue
Failed to load settings
:3:?:o:|:
ProcessLiveDump failed
GROUP
NoReflection
/--9Q
?R?q?
<#<9<L<^<z<
FX#F\;
(0-0F0y0
7&7,717
:/:4:R:j:~:
GetProcAddress
5L5P5X5`5x5
Copy failed
PQRj+
bcrypt.dll
ProductName
PageHeapFaultProbability
WerFault
ThreadHandle
< <2<E<
%s\%2.2d%2.2d%2.2d-%u-%2.2d.dmp
(2J)<
Failed to set reporting mode to true
t!QSW
GetDiskFreeSpaceEx failed
6 6V6
+CdyZ
Microsoft Corporation1.0,
onecore\windows\feedback\core\werfault\kernel\dumpprocessor.cpp
BCryptDestroyHash
String trim failed
2:2?2p2u2
CryptCATAdminCalcHashFromFileHandle
9"9'9K9
.idata$6
:!;&;|;
4 4%4P4Y4^4w4
5-575A5K5U5_5l5z5
NtSuspendProcess
<assemblyIdentity
version="6.0.0.0"
WER/CrashAPI:%u: ERROR WerpValidatePebHeader failed
8!8'83898J8s8
PssCaptureSnapshot
param3
TraceLog Failure: hr=0x%x at %hs:%d Code=%hs Function=%hs Message=%s
memory=%s
api-ms-win-core-heap-l1-1-0.dll
>8?`?
1<1D1x1
`"!boe
>&>U>t>
Microsoft\Windows\FDR
y%h<f@
9o9z9
4`5r5}5
D$dPV
<SYSTEMINFO>
Unable to register event source
0a1j1o1}1
Cannot log ETW event, Error %d
RegOpenKeyEx failed for report type
y"hHq@
LiveKernelReports
QLK6s
0#0;0y0~0
,,/1.9
aaaacZz
:#:-:9:A:F:l:v:
wil::details_abi::SemaphoreValue::TryGetValue
TRUNCATED
GetSystemData failed
Group
EnsureRegkeyExists failed
6"6&6,60666:6F6b6f6l6p6v6z6
XMLEncodeString failed for name
</INFNAME>
4,404@4X4p4
FileVersion
Ph8c@
9+91969K9d9
1,0*0
7VVVVVVV
tolower
(&t;M
coz7L
5#5-525H5N5S5
StringCchCopy failedTemp
Microsoft Corporation1&0$
%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x
3]5g5
060;0S0
CKernelReport::ReportFromKQueue
1(0&0
7"8(8-8J8P8U8
2D2t2}2^3{3
WSSSS
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
180703204550Z
7*8b8
Source
wDDDD
wmain
yUUOy
%s@%s
version.xml
D$0PVS
WerpValidateReportKey
tRht;@
DFDFW;;
L7PcPj
%TwLh
>!>6>@>S>
2$2(282<2L2P2`2d2t2x2
$Microsoft Ireland Operations Limited1&0$
9(949?9D9{9
CString::Copy(miniDumpFile) failed
DEADLOCK
QueryInterface failed for IDebugDataSpace3
9#939M9
memcpy_s
>7>L>s>
onecore\windows\feedback\core\werfault\kernel\kernelhelper.cpp
Waiting on Application Version
AppHangTransient
8?8]8f8
Er&DIa
9;:T:[:h:
WerpTraceImageCacheStatistics
- Snapshot available: %u.
EnableKernelFlags
\WindowsErrorReportingServicePort
LineNumber
yyta8A+7%_kkkc
PssDuplicateSnapshot
isiss
DeregisterEventSource
WerpAuxmdInitialize
FileTimeToLocalFileTime
Invalid type found in the queue, entry deleted
0(262N2
cZCf@
WerFault.exe
Failed to get the live kernel report
050[0i0
HamCreateActivityForProcess
5*6/6]6b6
u$htT@
2&3@3T3Y3r3
>+>F>s>
RMCLIENT.dll
Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0
VerifierDlls
BlueScreen
9C u@
DumpFileSize
Invalid mode passed: %u
;(;@;N;Z;~;
000E0S0_0g0
Microsoft-OCA-IPT
< <0<L<
VerQueryValueW
Global\WerKernelVerticalGeneratingDump
4G4]4b4r4
CoTaskMemAlloc
%d.%d.%s.%s.%s
GetThreadContext
9C:J:Z:q:z:
4SVWj.
<REG_VALUE>
PPPPP
CreateMutexExW
Failed to enum the keys for live kernel event %ws
CabArchiveFolder
SVWQQ3
EventRegister
9/989H9\9a9
CKernelReport::GetLiveReportsStoreRoot
Consent
.tdref
DeleteFileW
~h_^]
CoInitializeEx
W\ON\&96
t?hT;@
Failed to enumerate the report types
SYSTEM\CurrentControlSet\Control\MiniNT
GGG2I
0-1Y1^1n1
3gfYZ
4$5*5_5n5
CDumpProcessor::MoveDumpFile
FailingCode
GetProcessId
DebugCreateEx
OsMitigation
HeapAlloc
Vh$d@
:-;D;Z;
WER_Spew
B;PO( "##$)
>F>a>
p,: HA
AppHangXProcB1
ConfigureTelemetryOptInSettingsUx
:#:=:Y:h:
NewUserDefaultConsent
t%oD^f
R{Oim
Microsoft-Windows-ProcessExitMonitor
RegOpenKeyEx failed for root
DbgPrintEx
GetProcessTimes
IptTimeStamp
QueryVolumeFreeSpace
HamStartActivityAsync
TargetInstructionBytes
.data$brc
QSSSSSSP
>i?s?}?
6)6t6:7
62696
8P8|8
InternalName
6+6N6q6
9A9d9
AddMarkerFileDataEx (*.mrk) failed
malloc
t$ h0#A
QSVW3
IsWow64Process2
Minidump %ws does not exist, entry deleted
lpszSubmissionId is NULL
Open process failed for pid: %d
SSSRV
Windows Error Reporting
WER/CrashAPI:%u: ERROR Invalid arg
8I9c9w9
'h(o@
api-ms-win-core-profile-l1-1-0.dll
SessionSettings
Mutex
CallReturnBaseAddress
|$,Y3
.rsrc$02
<INFVERSION>
veLLlg{
Unable to open the file %ws for read
String append failed
_unlock
F(#F,;
708@8L8l8t8
NPh('@
0.0.0.0
w8QPSR
889F9K9\9u9z9
9~(s2Wj
HKCC\
"
q8}Up
8=8Q8V8
D#PJc
PSSjB
en-US
EnableTrace
CorporateWerUseSSL
module=%s
<dependency>
FindNextFileW
psr.exe
/ILF1
RXzf
OLEAUT32.dll
kernel32.dll
HKEY_CLASSES_ROOT\
0;1@1P1{1
OutOfProcessExceptionEventSignatureCallback
CoSetProxyBlanket
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
0f;1u
BufferSize
taskhost.exe
=E=Z=
IptBufferSize
PWh`X@
T$$RP
y9PVhH
Report is busy for %ws - %ws
.text$di
CryptCATClose
,//10
FindClose
</SERVICE>
:";);X;
;';H;M;b;x;
=/=<=I=N=l=
HangrepWERSVC2HANGREP
>">2>G>
ParseCommandLine
0#0;0@0V0
WerReportAddDump
GetTempPathW
<C=H=y=~=
ext-ms-win-ntuser-window-l1-1-0.dll
GetCurrentProcessId
CKernelReport::ConvertDumpAndReport
RegCreateKeyExW
GetVersionEx failed
WerpAuxmdMapFile
I0G1-0+
CDumpProcessor::ReadDumpHeader
.rdata$zETW0
QRPht
Instances
CreateThreadpoolTimer
8$8O8T8
SetKernelObjectSecurity
api-ms-win-core-wow64-l1-1-1.dll
DisableTelemetryOptInChangeNotification
j _9}
3$343
HamTerminateActivityHost
%s /stop
api-ms-win-core-file-l1-1-0.dll
0:1?1Z1_1z1
Whhe@
MoCFGSUP
WerpAuxmdDumpRegisteredBlocks
DelayLoadFailureHook
:-:w:
WerpGetFileByIndex
WerpSetIptEnabled
WaitForSingleObjectEx
PssWalkMarkerCreate
NtSetSystemInformation
2.3<3A3Z3
VWh(|@
<K<T<[<
;";(;-;P;V;[;u;
Microsoft.Windows.FaultReporting
$8884
RegOpenKeyEx failed
F@#FD;
api-ms-win-eventing-controller-l1-1-0.dll
WAIT_CHAIN_LIST
SVWQ3
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
f9>t0
EtwTraceMessage
y^Sh$
Message
9+;6;H;M;n;w;
787B7
D$@PVVV
3)3.3{3
processorArchitecture="x86"
NON null terminated string found for value: %ws
T3%X_
7'7,7[7e7w7}7
%s%s\%s
Reflection/ReserveMachineQueueDirectory attempt failed: 0X%X
- Snapshots disabled: %u.
CKernelReportDataCollection::AddMarkerFileDataEx
8P8U8x8
ExceptionCode
CoTaskMemFree
CHangReport::Create failed
BugCheckCode
Debugger
EtwUnregisterTraceGuids
3a4n4~4
636N6T6a6f6
PKGRELAPPID
\KernelObjects\LowMemoryCondition
wil::details_abi::SemaphoreValue::TryGetValueInternal
CKernelReport::SetReporting
!stackdbg /Sl /SL /si 0
.CRT$XIZ
WerpReportSprintfParameter
3,32373z3
3,3C3S3X3
6(6-656C6
Failed to read settings for DumpFile
ConvertStringSecurityDescriptorToSecurityDescriptor
QQQQQQP
PSSSSSSSjZj
Hangs
InitializeCriticalSectionEx
EtwRegisterTraceGuidsW
Professional
!This program cannot be run in DOS mode.
GenerateIntegratorReportId failed
Msg:[%ws]
697>7N7
\KernelObjects\MaximumCommitCondition
String replace failed
7C8j8
9C9W9\9q9
{MfDE
SetupVerifyInfFileW
4#4t4
api-ms-win-eventing-provider-l1-1-0.dll
MaxQueueCount
Disable
<DRIVER>
7 878E8w8
8(8.8?8Z8_8p8
PjOh`
<0<J<O<t<y<
Unable to report event
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;NR;;;HI)
Redmond1
>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
=C>H>a>r>y>~>
;J;O;i;
PROCESS_NAME
vLp{B
4D4u4
?"?8?L?Q?v?
elevated
\VarFileInfo\Translation
QueryPerformanceFrequency
5A7e7j7
ZF#2D
9O:T:g:y:~:
GetCurrentThread
6)Ee&
10,2G
OpenServiceW
2(363
112[2l2z2
wcspbrk
WerGetFlags
PhLj@
ext-ms-win-wevtapi-eventlog-l1-1-3
WAITINGONAPPNAME
D$ PPh|
api-ms-win-core-synch-l1-1-0.dll
WER/CrashAPI:%u: ERROR Invalid args in call to WerpGetRuntimeDllsListStart.
Autoverifier
api-ms-win-core-registry-l1-1-1.dll
[UserModeDump]
WWWWW
OpenSemaphoreW
triagedump.%04x.dmp
2!2;2@2Y2x2
AppRecorderCount
"%s" "%s" "%s"
api-ms-win-core-psapi-l1-1-0.dll
>#>(>N>
+k#L|
CallReturnInstructionBytesLength
WerpInitiateCrashReporting
Zj f;
<B=I=U=`=r=
ModuleName
:0;c;
DEg73
GetUserGeoID
M++,K0001
r~akow
7%757j7
Converting live dump failed
ext-ms-win-ntuser-message-l1-1-0
%h(o@
CFGSUP
EnterCriticalSection
.CRT$XCU
WerpFlushImageCache
Waiting on Application Name
ConvertStringSecurityDescriptorToSecurityDescriptorW
</%s>
WER/CrashAPI:%u: ERROR NtQueryInformationProcess failed
Ph8 @
Ph$A@
:f;>u
StorePath
y~x~]
MemoryError
EnsureKernelQueueRegkeyExists failed
wdi.dll
8*818T8j8p8v8
4$424=4
Ji{^e
CKernelReportDataCollection::PrintRegKeyXML
= =0=5=K=P=
%04d/%02d/%02d:%02d:%02d:%02d
0U1_1m1r1
%hs(%d) tid(%x) %08X %ws
oK0D$"<
Ph<4@
PageHeapSizeRangeEnd
GetCurrentProcess
;4;;;
\\?\GLOBALROOT
FullLiveReportsMax
?+?;?@?Z?v?
</SUBMISSIONID>
BrokerUp
000>0D0I0i0w0}0
;";3;
ext-ms-win-imm-l1-1-1
>4>d>m>r>
<%s>%s</%s>
WerpAddFile
>3>C>I>N>r>x>
MODULELIST
_vscwprintf
!.DQ$
Crash
e|tLG
5$545f5k5
CorporateWerServer
NtQueryInformationToken
ext-ms-win-appcompat-aepic-l1-1-0.dll
?6?{?
%s\LiveKernelReports\%s
DisableNetworkWCT
Overwrite is false and file exists
LocalFree
DisableTelemetryOptInSettingsUx
`/%}N
.?AVResultException@wil@@
RSDS&q
`{{{-
BuildLabEx
pLogEvent
</assembly>
1!1N1a1x1
dXdr_
NtCreateFile
KEYWH
.didat$3
7)7.7X7d7{7
10.0.17763.379
{DPAGEu
onecore\base\telemetry\permission\product\telemetrypermission.cpp
GetDeviceData failed
windows
Translation
L$ RW
api-ms-win-power-setting-l1-1-0.dll
EventType
WerpGetExtendedDiagData
%s %d
.version.xml
ForceHeapDump
ShouldCaptureSnapshot
CallReturnInstructionBytes
8/8C8H8m8t8
Live minidump directory not set
> >U>[>
62686=6[6a6f6~6
<'<=<B<R<
919;9O9T9
Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
CLiveDumpProcessor::ReadDumpHeader
3/3j4
ext-ms-win-ntuser-synch-l1-1-0
=1=E=K=Q=V=
;-<[<
0b1h1m1
j YS3
WilError_02
070F0v0
3=3C3H3{3
4S4f4
%u %s
QQSVj,
DSVWQQ3
Yn"$`g`&`
CKernelReportDataCollection::GetExtraReportFilePath
wcsncmp
SetupDiEnumDeviceInfo
OpenProcess failed for self, pid %d (0x%x)
0#0F0Q0V0o0z0
<dependentAssembly>
9"9;9@9_9d9y9~9
GetTempFileNameW
EtwGetTraceEnableFlags
ProductVersion
LiveKernelEvent
WinSta0
"###P
__p__commode
PageHeapDllRangeStart
0 0$0(0,0004080@0D0L0P0X0`0d0l0t0x0|0
434;4G4T4d4n4{4
{W9h_ak
StringCchCopy failed while copying the converted string
.didat$4
CoGetActivationState
=(=-=X=
ExtraInfo2
__CxxFrameHandler3
WerpInitializeImageCache
h4z\+5
IsValidSid
_onexit
StringCchPrintf failed while trying to create the file path
tnh(Y@
Dump not present or invalid
Vhhe@
3"3:3A3r3
No dump file present in crash control
4>5H5N5^5t5
.CRT$XIAA
506a6z6
Shho@
{las.
EQGJ9g
Build
2#2.232\2g2l2
Waiting on Package Full Name
999D9M9W9\9r9
onecore\windows\feedback\core\werfault\kernel\kernelreport.cpp
Windows
5!575K5n5s5
%DDCD0
<CREATIONDATE>%02d-%02d-%04d %02d:%02d:%02d</CREATIONDATE>
32484I4
>@>K>P>t>~>
7=7\7a7q7
PageHeapRandomProbability
Read queued report: creation time: %08X:%08X
api-ms-win-core-apiquery-l1-1-0.dll
fulldump
WakeByAddressSingle
.idata$2
Flavor
=/===V=
api-ms-win-core-debug-l1-1-0.dll
AUXILIARY_PROCESS
1c="61
CodeIntegrity.Telemetry
647N7e7{7
AppHangB1
DBX&23LG
%SystemRoot%\Minidump
WWj'S
;$;,;8;X;d;
6+6T6Y6i6
LastPromptedTime
PINDLL_OF_INTEREST
\t,h8 @
=$=0=P=\=|=
Initialize failed for CRASH_DUMP_ENABLED_OLD
DLllL
MinQueueSize
;;;E;Y;^;w;
WER/CrashAPI:%u: ERROR No 64 bit PEB for process
Read queued report: path: %ws
=$=*=}=
psapi.dll
WerpSetCallBack
>F?K?^?z?
System\CurrentControlSet\Services
AskFull
2/252:2Y2m2r2{2
5]6d6s6x6
= >;>I>W>
21383h3
=0>@>F>K>
060<0F0Z0_0~0
GetExitCodeThread
4!4i4n4~4
CabArchiveCreate
</dependency>
.gfids
141B1G1X1h1u1z1
SfcIsFileProtected
=N>V>o>
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
Wh(|@
<F<r<w<
_,X:-z
TelemetryPermission-DefaultLevel
5)6.6C6O6U6
PhDA@
d{{{c
190726204550Z0p1
TargetBaseAddress
%hs(%d)\%hs!%p:
LiveKernelReportsQueueRoot
Operating System
praid:
WerpStitchedMinidumpVmPreReadCallback
MoAppHang
N0L0J
iYRj2
@.didat
ext-ms-win-wevtapi-eventlog-l1-1-1
GetModuleHandleExW
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s\Autoverifier
1T2Y2w2
RtlFreeSid
RtlGetVersion
Small Business Server
_cexit
4,474<4]4b4r4
SendMessage
ProcessHandle
Rhl0@
EventData
4b5u5
1'2V2
nhfiit
:,:4:9:
K4h-06
comctl32
_NT_ALT_SYMBOL_PATH
=&>Y>t>
6!7&767
dc.expmodmem
+}0-3T
<2<N<Z<`<q<
GetLastError
=/>s>x>
WER/CrashAPI:%u: ERROR NtWow64QueryInformationProcess64 failed with 0x%x
CLiveDumpProcessor::ProcessLiveDump
Microsoft.Windows.WERVertical
D$(VP
2b2g2
VM read statistics:
param4
F`#Fd;
EventWrite
ForceMetadata
LogHr
CTIPlugin::InvokeCallback=%S
_amsg_exit
K6OqZ
WER/CrashAPI:%u: ERROR ReadProcessMemory failed while trying to read WerRegistrationData
12==}
?terminate@@YAXXZ
_snwscanf_s
eY|uuU
NtDeviceIoControlFile
GetSubmissionId failed
63787I7e7
WerDiagController.dll
0`0f0
APPNAME
!stackdbg /sl /sL /Si 0
CommandLineToArgvW
Start
LogEvent
dc.xpdata
[Hf)"
>?>v>{>
Unknown
api-ms-win-security-sddl-l1-1-0.dll
vDDDdlz
QSVWj/
Failed to read the dumpfile setting for machine crash
BypassDataThrottling
"""$$'1<GU
wtDDWsv{p
StartServiceW
PVj8Wj
%s %u
;5;:;m;
KernelCrashMain
ext-ms-win-kernel32-package-l1-1-0
Reflection attempt failed: 0X%X
F4PSh
.dbgcfg.ini
/JKIH'R(
0L0U0^0i0n0
api-ms-win-core-timezone-l1-1-0.dll
WerPluginsInitialize failed
RestoreDumpSettings: Restoring CrashDumpEnabled to %u
Too large size
??1exception@@UAE@XZ
<"<'<8<R<`<
GetSystemInfo
PVVVVVV
CopySid
System\CurrentControlSet\Control\CrashControl\LiveKernelReports
#$$$3355<
WerpSetIntegratorReportId failed
393W3n3s3
2!2(23282`2
VVWh@
CryptCATOpen failed
5 606<6D6x6
Bucket=
WER/CrashAPI:%u: ERROR WerpNtWow64ReadVirtualMemory64 failed while trying to read PebBaseAddress
WerpUnmapProcessViews
NtWaitForSingleObject
CrashDumpEnabled.Old
!aN=M
D$(PP
6h7o7
UserVerticalCrashed
RegQueryInfoKeyW
HKLM\
GetFileAttributesExW
RegCloseKey
version="1.0.0.0"
?"?'?9?O?X?
6(636>6I6T6_6j6
ext-ms-win-ntuser-window-l1-1-1
D'=='
303T3
.030V0]0
SHCreateDirectoryExW
CKernelReport::SendLiveReport
PWWWWWWS
WerpTraceUnmappedVaRangesStatistics
Failed to get live dump root folder
F@PSh
No live dump was present
272R2W2z2
80858X8]8
RtlAllocateHeap
0 1*1L1a1
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash | Icon | Icon Exact Hash | Icon Similarity Hash | Icon DHash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 0x00400000 | 0x00046e00 | 0x0007bfdf | 0x0007bfdf | 10.0 | WerFault.pdb | 2029-04-09 06:01:23 | e9f15dbad63604ee770191ee91c8b8c3 |  |
92c690912f6e70d06938bcbe9c3e5833 | b836b9d2aac33167978d0ccbb6b58398 | f2c3c3f5c5c8e878 |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | Windows Problem Reporting |
| FileVersion | 10.0.17763.379 (WinBuild.160101.0800) |
| InternalName | WerFault |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | WerFault.exe |
| ProductName | Microsoftรยฎ Windowsรยฎ Operating System |
| ProductVersion | 10.0.17763.379 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x0004a134 | 0x0004a200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.46 |
| .imrsiv | 0x00000000 | 0x0004c000 | 0x00000004 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .data | 0x0004a600 | 0x0004d000 | 0x00000fc0 | 0x00000a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.39 |
| .idata | 0x0004b000 | 0x0004e000 | 0x00003e36 | 0x00004000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.43 |
| .didat | 0x0004f000 | 0x00052000 | 0x000000a8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 1.42 |
| .rsrc | 0x0004f200 | 0x00053000 | 0x00016870 | 0x00016a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.01 |
| .reloc | 0x00065c00 | 0x0006a000 | 0x00004b3c | 0x00004c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 6.80 |
Overlay
| Offset | 0x0006a800 |
| Size | 0x00002138 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| MUI | 0x00069778 | 0x000000f8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.78 | None |
| WEVT_TEMPLATE | 0x00066af8 | 0x00002c7a | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.92 | None |
| RT_ICON | 0x00053998 | 0x00000668 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.14 | None |
| RT_ICON | 0x00054000 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.30 | None |
| RT_ICON | 0x000542e8 | 0x000001e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.01 | None |
| RT_ICON | 0x000544d0 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.54 | None |
| RT_ICON | 0x000545f8 | 0x00000ea8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.80 | None |
| RT_ICON | 0x000554a0 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.17 | None |
| RT_ICON | 0x00055d48 | 0x000006c8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.17 | None |
| RT_ICON | 0x00056410 | 0x00000568 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.53 | None |
| RT_ICON | 0x00056978 | 0x0000b8dd | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.98 | None |
| RT_ICON | 0x00062258 | 0x000025a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.51 | None |
| RT_ICON | 0x00064800 | 0x000010a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.75 | None |
| RT_ICON | 0x000658a8 | 0x00000988 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.82 | None |
| RT_ICON | 0x00066230 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.74 | None |
| RT_GROUP_ICON | 0x00066698 | 0x000000bc | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.07 | None |
| RT_VERSION | 0x00066758 | 0x000003a0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.50 | None |
| RT_MANIFEST | 0x00053430 | 0x00000568 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.65 | None |
Imports
| Name | Address |
|---|---|
| memcpy | 0x44e4e4 |
| memcmp | 0x44e4e8 |
| _CxxThrowException | 0x44e4ec |
| realloc | 0x44e4f0 |
| wcsncpy_s | 0x44e4f4 |
| wcscat_s | 0x44e4f8 |
| memmove_s | 0x44e4fc |
| swprintf_s | 0x44e500 |
| malloc | 0x44e504 |
| wcsrchr | 0x44e508 |
| _wtoi64 | 0x44e50c |
| _wcstoui64 | 0x44e510 |
| _except_handler4_common | 0x44e514 |
| ??1type_info@@UAE@XZ | 0x44e518 |
| ?terminate@@YAXXZ | 0x44e51c |
| _onexit | 0x44e520 |
| __dllonexit | 0x44e524 |
| wcsstr | 0x44e528 |
| _unlock | 0x44e52c |
| _purecall | 0x44e530 |
| tolower | 0x44e534 |
| _wtoi | 0x44e538 |
| wcspbrk | 0x44e53c |
| _lock | 0x44e540 |
| wcschr | 0x44e544 |
| iswspace | 0x44e548 |
| _initterm | 0x44e54c |
| isspace | 0x44e550 |
| __setusermatherr | 0x44e554 |
| _controlfp | 0x44e558 |
| __p__fmode | 0x44e55c |
| _cexit | 0x44e560 |
| towlower | 0x44e564 |
| _exit | 0x44e568 |
| exit | 0x44e56c |
| __set_app_type | 0x44e570 |
| __wgetmainargs | 0x44e574 |
| _amsg_exit | 0x44e578 |
| wcsncmp | 0x44e57c |
| _vscwprintf | 0x44e580 |
| __p__commode | 0x44e584 |
| _snwscanf_s | 0x44e588 |
| printf | 0x44e58c |
| _XcptFilter | 0x44e590 |
| wcscpy_s | 0x44e594 |
| _callnewh | 0x44e598 |
| free | 0x44e59c |
| _vsnprintf_s | 0x44e5a0 |
| ??0exception@@QAE@ABV0@@Z | 0x44e5a4 |
| ??0exception@@QAE@XZ | 0x44e5a8 |
| ??1exception@@UAE@XZ | 0x44e5ac |
| _wcsicmp | 0x44e5b0 |
| memmove | 0x44e5b4 |
| memcpy_s | 0x44e5b8 |
| _wcsnicmp | 0x44e5bc |
| _vsnwprintf | 0x44e5c0 |
| __CxxFrameHandler3 | 0x44e5c4 |
| memset | 0x44e5c8 |
| Name | Address |
|---|---|
| GetModuleHandleW | 0x44e13c |
| GetProcAddress | 0x44e140 |
| LoadStringW | 0x44e144 |
| GetModuleHandleExW | 0x44e148 |
| GetModuleFileNameA | 0x44e14c |
| FreeLibraryAndExitThread | 0x44e150 |
| FreeLibrary | 0x44e154 |
| LoadLibraryExW | 0x44e158 |
| Name | Address |
|---|---|
| CreateMutexExW | 0x44e2c8 |
| WaitForSingleObject | 0x44e2cc |
| ReleaseSemaphore | 0x44e2d0 |
| OpenEventW | 0x44e2d4 |
| AcquireSRWLockShared | 0x44e2d8 |
| InitializeSRWLock | 0x44e2dc |
| EnterCriticalSection | 0x44e2e0 |
| InitializeCriticalSectionEx | 0x44e2e4 |
| SetEvent | 0x44e2e8 |
| OpenSemaphoreW | 0x44e2ec |
| ReleaseSRWLockExclusive | 0x44e2f0 |
| InitializeCriticalSection | 0x44e2f4 |
| ReleaseSRWLockShared | 0x44e2f8 |
| CreateEventW | 0x44e2fc |
| DeleteCriticalSection | 0x44e300 |
| AcquireSRWLockExclusive | 0x44e304 |
| OpenMutexW | 0x44e308 |
| CreateMutexW | 0x44e30c |
| ReleaseMutex | 0x44e310 |
| CreateSemaphoreExW | 0x44e314 |
| WaitForSingleObjectEx | 0x44e318 |
| ResetEvent | 0x44e31c |
| LeaveCriticalSection | 0x44e320 |
| Name | Address |
|---|---|
| HeapAlloc | 0x44e124 |
| HeapFree | 0x44e128 |
| GetProcessHeap | 0x44e12c |
| Name | Address |
|---|---|
| GetLastError | 0x44e098 |
| SetLastError | 0x44e09c |
| SetUnhandledExceptionFilter | 0x44e0a0 |
| UnhandledExceptionFilter | 0x44e0a4 |
| SetErrorMode | 0x44e0a8 |
| Name | Address |
|---|---|
| GetCurrentThread | 0x44e1e0 |
| GetProcessTimes | 0x44e1e4 |
| GetCurrentThreadId | 0x44e1e8 |
| TerminateProcess | 0x44e1ec |
| SetPriorityClass | 0x44e1f0 |
| GetPriorityClass | 0x44e1f4 |
| GetThreadPriority | 0x44e1f8 |
| GetCurrentProcess | 0x44e1fc |
| GetExitCodeThread | 0x44e200 |
| CreateThread | 0x44e204 |
| SetThreadPriority | 0x44e208 |
| OpenThread | 0x44e20c |
| GetCurrentProcessId | 0x44e210 |
| CreateProcessW | 0x44e214 |
| OpenProcessToken | 0x44e218 |
| GetProcessId | 0x44e21c |
| Name | Address |
|---|---|
| GetUserGeoID | 0x44e168 |
| GetThreadUILanguage | 0x44e16c |
| GetSystemDefaultLangID | 0x44e170 |
| LCMapStringW | 0x44e174 |
| FormatMessageW | 0x44e178 |
| Name | Address |
|---|---|
| IsDebuggerPresent | 0x44e070 |
| OutputDebugStringW | 0x44e074 |
| DebugBreak | 0x44e078 |
| Name | Address |
|---|---|
| DuplicateHandle | 0x44e118 |
| CloseHandle | 0x44e11c |
| Name | Address |
|---|---|
| EventRegister | 0x44e408 |
| EventSetInformation | 0x44e40c |
| EventWriteTransfer | 0x44e410 |
| EventUnregister | 0x44e414 |
| EventWrite | 0x44e418 |
| Name | Address |
|---|---|
| SetConsoleCtrlHandler | 0x44e068 |
| Name | Address |
|---|---|
| WakeByAddressSingle | 0x44e328 |
| WaitOnAddress | 0x44e32c |
| Sleep | 0x44e330 |
| Name | Address |
|---|---|
| QueryPerformanceCounter | 0x44e23c |
| QueryPerformanceFrequency | 0x44e240 |
| Name | Address |
|---|---|
| GetTickCount | 0x44e340 |
| GetVersionExW | 0x44e344 |
| GetTickCount64 | 0x44e348 |
| GlobalMemoryStatusEx | 0x44e34c |
| GetSystemTimeAsFileTime | 0x44e350 |
| GetWindowsDirectoryW | 0x44e354 |
| GetSystemDirectoryW | 0x44e358 |
| GetSystemInfo | 0x44e35c |
| Name | Address |
|---|---|
| MultiByteToWideChar | 0x44e2b8 |
| GetStringTypeExW | 0x44e2bc |
| CompareStringW | 0x44e2c0 |
| Name | Address |
|---|---|
| LocalFree | 0x44e134 |
| Name | Address |
|---|---|
| IsWow64Process2 | 0x44e3dc |
| GetSystemWow64DirectoryW | 0x44e3e0 |
| Name | Address |
|---|---|
| IsOS | 0x44e3e8 |
| Name | Address |
|---|---|
| MiniDumpWriteDump | 0x44e4d4 |
| Name | Address |
|---|---|
| CoGetCallState | 0x44e05c |
| CoGetActivationState | 0x44e060 |
| Name | Address |
|---|---|
| WerGetFlags | 0x44e3cc |
| Name | Address |
|---|---|
| CryptReleaseContext | 0x44e000 |
| CryptAcquireContextW | 0x44e004 |
| Name | Address |
|---|---|
| ApiSetQueryApiSetPresence | 0x44e028 |
| Name | Address |
|---|---|
| ResolveDelayLoadedAPI | 0x44e090 |
| Name | Address |
|---|---|
| DelayLoadFailureHook | 0x44e088 |
| Name | Address |
|---|---|
| OpenProcess | 0x44e224 |
| GetThreadTimes | 0x44e228 |
| GetThreadContext | 0x44e22c |
| Name | Address |
|---|---|
| GetSidSubAuthority | 0x44e43c |
| GetSidSubAuthorityCount | 0x44e440 |
| GetTokenInformation | 0x44e444 |
| FreeSid | 0x44e448 |
| CheckTokenMembership | 0x44e44c |
| CopySid | 0x44e450 |
| GetLengthSid | 0x44e454 |
| IsValidSid | 0x44e458 |
| CreateWellKnownSid | 0x44e45c |
| SetKernelObjectSecurity | 0x44e460 |
| SetSecurityDescriptorDacl | 0x44e464 |
| EqualSid | 0x44e468 |
| InitializeSecurityDescriptor | 0x44e46c |
| GetSecurityDescriptorDacl | 0x44e470 |
| AllocateAndInitializeSid | 0x44e474 |
| GetKernelObjectSecurity | 0x44e478 |
| Name | Address |
|---|---|
| ConvertSidToStringSidW | 0x44e488 |
| ConvertStringSecurityDescriptorToSecurityDescriptorW | 0x44e48c |
| Name | Address |
|---|---|
| GetFinalPathNameByHandleW | 0x44e0b0 |
| CreateFileW | 0x44e0b4 |
| ReadFile | 0x44e0b8 |
| CompareFileTime | 0x44e0bc |
| GetLongPathNameW | 0x44e0c0 |
| CreateDirectoryW | 0x44e0c4 |
| GetFileSize | 0x44e0c8 |
| DeleteFileW | 0x44e0cc |
| FileTimeToLocalFileTime | 0x44e0d0 |
| GetDriveTypeW | 0x44e0d4 |
| GetFileAttributesExW | 0x44e0d8 |
| GetFileAttributesW | 0x44e0dc |
| QueryDosDeviceW | 0x44e0e0 |
| GetLogicalDriveStringsW | 0x44e0e4 |
| FindFirstFileW | 0x44e0e8 |
| FindNextFileW | 0x44e0ec |
| FindClose | 0x44e0f0 |
| GetDiskFreeSpaceExW | 0x44e0f4 |
| SetFileAttributesW | 0x44e0f8 |
| WriteFile | 0x44e0fc |
| GetTempFileNameW | 0x44e100 |
| Name | Address |
|---|---|
| IsWow64Process | 0x44e3d4 |
| Name | Address |
|---|---|
| RegQueryValueExW | 0x44e258 |
| RegSetValueExW | 0x44e25c |
| RegDeleteTreeW | 0x44e260 |
| RegGetKeySecurity | 0x44e264 |
| RegDeleteValueW | 0x44e268 |
| RegEnumValueW | 0x44e26c |
| RegCloseKey | 0x44e270 |
| RegGetValueW | 0x44e274 |
| RegCreateKeyExW | 0x44e278 |
| RegEnumKeyExW | 0x44e27c |
| RegSetKeySecurity | 0x44e280 |
| RegOpenKeyExW | 0x44e284 |
| RegQueryInfoKeyW | 0x44e288 |
| Name | Address |
|---|---|
| VirtualQuery | 0x44e188 |
| CreateFileMappingW | 0x44e18c |
| UnmapViewOfFile | 0x44e190 |
| MapViewOfFile | 0x44e194 |
| VirtualQueryEx | 0x44e198 |
| ReadProcessMemory | 0x44e19c |
| VirtualFree | 0x44e1a0 |
| VirtualAlloc | 0x44e1a4 |
| OpenFileMappingW | 0x44e1a8 |
| Name | Address |
|---|---|
| CreateThreadpoolWait | 0x44e370 |
| CreateThreadpoolTimer | 0x44e374 |
| SetThreadpoolTimer | 0x44e378 |
| SetThreadpoolWait | 0x44e37c |
| WaitForThreadpoolTimerCallbacks | 0x44e380 |
| WaitForThreadpoolWaitCallbacks | 0x44e384 |
| CloseThreadpoolTimer | 0x44e388 |
| CloseThreadpoolWait | 0x44e38c |
| Name | Address |
|---|---|
| WaitForMultipleObjects | 0x44e338 |
| Name | Address |
|---|---|
| CheckRemoteDebuggerPresent | 0x44e080 |
| Name | Address |
|---|---|
| GetCommandLineW | 0x44e1b0 |
| ExpandEnvironmentStringsW | 0x44e1b4 |
| SearchPathW | 0x44e1b8 |
| GetEnvironmentVariableW | 0x44e1bc |
| SetEnvironmentVariableW | 0x44e1c0 |
| Name | Address |
|---|---|
| K32EnumProcessModules | 0x44e248 |
| K32GetModuleFileNameExW | 0x44e24c |
| QueryFullProcessImageNameW | 0x44e250 |
| Name | Address |
|---|---|
| GetTempPathW | 0x44e108 |
| Name | Address |
|---|---|
| PssCaptureSnapshot | 0x44e1c8 |
| PssWalkMarkerFree | 0x44e1cc |
| PssDuplicateSnapshot | 0x44e1d0 |
| PssQuerySnapshot | 0x44e1d4 |
| PssWalkMarkerCreate | 0x44e1d8 |
| Name | Address |
|---|---|
| RtlCompareMemory | 0x44e2a8 |
| Name | Address |
|---|---|
| PowerSettingUnregisterNotification | 0x44e430 |
| PowerSettingRegisterNotification | 0x44e434 |
| Name | Address |
|---|---|
| CLSIDFromString | 0x44e030 |
| ProgIDFromCLSID | 0x44e034 |
| CoTaskMemFree | 0x44e038 |
| CoCreateInstance | 0x44e03c |
| CoTaskMemAlloc | 0x44e040 |
| CoUnmarshalInterface | 0x44e044 |
| CoGetMalloc | 0x44e048 |
| CoSetProxyBlanket | 0x44e04c |
| CoUninitialize | 0x44e050 |
| CoInitializeEx | 0x44e054 |
| Name | Address |
|---|---|
| BCryptCreateHash | 0x44e4c0 |
| BCryptFinishHash | 0x44e4c4 |
| BCryptHashData | 0x44e4c8 |
| BCryptDestroyHash | 0x44e4cc |
| Name | Address |
|---|---|
| StopTraceW | 0x44e3f0 |
| StartTraceW | 0x44e3f4 |
| Name | Address |
|---|---|
| RpcStringFreeW | 0x44e018 |
| UuidToStringW | 0x44e01c |
| UuidCreate | 0x44e020 |
| Name | Address |
|---|---|
| FileTimeToSystemTime | 0x44e394 |
| Name | Address |
|---|---|
| StartServiceW | 0x44e49c |
| OpenServiceW | 0x44e4a0 |
| CloseServiceHandle | 0x44e4a4 |
| OpenSCManagerW | 0x44e4a8 |
| Name | Address |
|---|---|
| QueryServiceConfigW | 0x44e4b0 |
| Name | Address |
|---|---|
| GetProductInfo | 0x44e364 |
| GetNativeSystemInfo | 0x44e368 |
| Name | Address |
|---|---|
| MoveFileExW | 0x44e110 |
| Name | Address |
|---|---|
| RegSetKeyValueW | 0x44e290 |
| Name | Address |
|---|---|
| LoadLibraryW | 0x44e160 |
| Name | Address |
|---|---|
| GetFileVersionInfoSizeExW | 0x44e3bc |
| GetFileVersionInfoExW | 0x44e3c0 |
| VerQueryValueW | 0x44e3c4 |
| Name | Address |
|---|---|
| SysFreeString | 0x44e00c |
| SysAllocStringLen | 0x44e010 |
| Name | Address |
|---|---|
| QueryTraceW | 0x44e3fc |
| EnableTrace | 0x44e400 |
| Name | Address |
|---|---|
| RegDeleteKeyW | 0x44e298 |
| RegDeleteKeyA | 0x44e29c |
| RegOpenKeyW | 0x44e2a0 |
| Name | Address |
|---|---|
| RegisterEventSourceW | 0x44e420 |
| ReportEventW | 0x44e424 |
| DeregisterEventSource | 0x44e428 |
| Name | Address |
|---|---|
| SetEntriesInAclW | 0x44e480 |
| Name | Address |
|---|---|
| Module32FirstW | 0x44e39c |
| CreateToolhelp32Snapshot | 0x44e3a0 |
| Thread32Next | 0x44e3a4 |
| Process32NextW | 0x44e3a8 |
| Process32FirstW | 0x44e3ac |
| Thread32First | 0x44e3b0 |
| Module32NextW | 0x44e3b4 |
| Name | Address |
|---|---|
| GetProcessIoCounters | 0x44e234 |
| Name | Address |
|---|---|
| CommandLineToArgvW | 0x44e4b8 |
| Name | Address |
|---|---|
| StrStrIW | 0x44e2b0 |
| Name | Address |
|---|---|
| BuildSecurityDescriptorW | 0x44e494 |
| Name | Address |
|---|---|
| GetUserDefaultUILanguage | 0x44e180 |
| Name | Address |
|---|---|
| WerpInitiateCrashReporting | 0x44e4dc |
Usage
Processing ( 9.90 seconds )
- 9.243 ProcessMemory
- 0.646 CAPE
- 0.005 BehaviorAnalysis
- 0.004 AnalysisInfo
Signatures ( 0.05 seconds )
- 0.008 ransomware_files
- 0.005 antianalysis_detectfile
- 0.005 antiav_detectreg
- 0.005 ransomware_extensions
- 0.003 ursnif_behavior
- 0.002 antiav_detectfile
- 0.002 infostealer_ftp
- 0.002 infostealer_im
- 0.002 poullight_files
- 0.002 territorial_disputes_sigs
- 0.001 antianalysis_detectreg
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 infostealer_bitcoin
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
- 0.001 lokibot_mutexes
Reporting ( 0.00 seconds )
- 0.003 CAPASummary
- 0.001 JsonDump
Signatures
The PE file contains a PDB path
pdbpath: WerFault.pdb
The binary contains an unknown PE section name indicative of packing
unknown section: {'name': '.imrsiv', 'raw_address': '0x00000000', 'virtual_address': '0x0004c000', 'virtual_size': '0x00000004', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000080', 'entropy': '0.00'}
unknown section: {'name': '.didat', 'raw_address': '0x0004f000', 'virtual_address': '0x00052000', 'virtual_size': '0x000000a8', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '1.42'}
The binary likely contains encrypted or compressed data
section: {'name': '.rsrc', 'raw_address': '0x0004f200', 'virtual_address': '0x00053000', 'virtual_size': '0x00016870', 'size_of_data': '0x00016a00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.01'}
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 2748 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Binary compilation timestomping detected
anomaly: Compilation timestamp is in the future
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
Local\SM0:2748:64:WilError_02
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.
Sorry! No process dumps.