← All stories

Hexacorn

WerReportCreate API

adam · 2026-04-16 · Read original ↗

ATT&CK techniques detected

5 predictions

T1055.001Dynamic-link Library Injection

53%

“werreportcreate api the api i want to talk about today is called werreportcreate. it takes a few arguments, but the most interesting is the first one, which is the event name. looking at windows os binaries, we can see this api being utilized by a number of native executables and…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1055.001Dynamic-link Library Injection

46%

“exe - windowsbackupfailure – sdengin2. dll - servicehang – services. exe - systemrestore – srcore. dll - shellthumbnailextractiontimeout – thumbcache. dll - shellthumbnailextractiontimeout – thumbnailextractionhost. exe - updateagentdiag – updateagent. dll - windows server backup…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1574.001DLL

37%

“werreportcreate api the api i want to talk about today is called werreportcreate. it takes a few arguments, but the most interesting is the first one, which is the event name. looking at windows os binaries, we can see this api being utilized by a number of native executables and…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1574.001DLL

37%

“exe - windowsbackupfailure – sdengin2. dll - servicehang – services. exe - systemrestore – srcore. dll - shellthumbnailextractiontimeout – thumbcache. dll - shellthumbnailextractiontimeout – thumbnailextractionhost. exe - updateagentdiag – updateagent. dll - windows server backup…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1574.001DLL

30%

“##cancel – explorerframe. dll - shellviewreentered – explorerframe. dll - faulttolerantheap – fthsvc. dll - gdiobjectleak – gdi32full. dll - compatentityanalysis _ 1 – invagent. dll - scripteddiagfailure – msdt. exe - windowsnonfatalsuspecteddeadlock – netprofmsvc. dll - commsnon…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

The API I want to talk about today is called WerReportCreate. It takes a few arguments, but the most interesting is the first one, which is the Event Name. Looking at Windows OS binaries, we can see this API being … Continue reading →