MZ@ !L!This program cannot be run in DOS mode. $^C?-?-?-,?-?,?-.?-)?--?-%?-?-/?-Rich?-PEL>! &*@@ @E87XP<`x+h(tpPP.text(* `.data @.@.idataXP4@@.rsrcx+`,8@@.relocd@BPDPPuTP0` 0 P 1P223P48secur32.dllsspicli.dll{195c2792-f194-4108-8420-9c15a8139679}NTLMCallerNTLM{35050f5a-90b5-4dde-9d43-59eef8365534}NTLMDowngradeNegotiateNegotiateAcquireCredentialsHandleAAcquireCredentialsHandleWInitializeSecurityContextAInitializeSecurityContextWInitSecurityInterfaceAInitSecurityInterfaceWFreeCredentialsHandleDeleteSecurityContextSSPICLI.AcquireCredentialsHandleASSPICLI.AcquireCredentialsHandleWSSPICLI.InitializeSecurityContextASSPICLI.InitializeSecurityContextWSSPICLI.InitSecurityInterfaceASSPICLI.InitSecurityInterfaceWSSPICLI.FreeCredentialsHandleSSPICLI.DeleteSecurityContext-NTLM-NTLM(NULL)NULLNULL!NTLMNTLM!NTLM>'00 > \XX >$ > l!RSDSl@/jg,5}vfntlmless.pdbGCTL.rdata$brcH.gfids.rdata0.rdata$voltmd0.rdata$zzzdbg!.text$mn87.edata@P.data$brcPD0.dataD.bssPP.idata$5PP.00cfgXP(.idata$2P.idata$3PP.idata$4Pt.idata$6``.rsrc$01`a*.rsrc$02 l@/jg,5};G!ڙь>̋U} u jjj uU M ] ̋USVW3ۋj^++M)d0( `Df9u Bd0wd0ud0r BBBPWHP3F5G_^[]E;`Dt9GuhBWDP~hBWDPj5G9GthGhBS8PChGhBS8P*9GphIP IIII5IJ1JP2J2hJP J,JJ J50J4J38JP4_^̋UQVW3tj9}teS]Kff;u+ٍVE;s f?,t;r+;uSVuP t Ew;rE[t;r3_^̋UQSVWh3]hX։ELu@9]D_^[̋U VWhdVPYYu3VVVVVhPhB@PhVPYY?SG 3FE;t zO$oW(d;u h  h(yۅuW(O$9uuT!M;uG$EE W$UURw(DE3Pw(EVEEVVVPP?G$3ۃ3CuE;t W,f9w((}u1Mыh(߅u2UM9]u|;uҋ‹h Et69]UEPuDPRVVVVRPPhB@P,[_^̋Vgtgu h4h=j@V$PYYuj/V$PYYuj\V$PYYt ;txu hV3PPPPPhPhB@P$^̋UTSVW3T$3҉L$$jY|$DT$@T$(|$,ڋT$T$ \$ t$} ID$ID$ D$uNL$$T$(ID$0D$ L$4IP \$ ^VuӋ ׋79u.L$D$Pj WPPT$$D$hp PYYM$T$@OD$HD$L$L JP< t$NLt9DD$E9y|$EQ3NT$t$9^E9LD${EK\$ L$ |$D$NuFuLPQt$3RWt$,t$4PPPPPhPhB@P8SVu|$t\$ tt$PP_^[]̋UVW3}3u諫tIMIUUE_^̋U(SVWٍ}33ujYt0KEEMEt BEBEUܹ J`_^[̋UQSV3E0t(MWAuj^uSWE 8_3^[̋Ue3!SVWM3ۉE3]EjY(u EitvMW]ЉUuLVtv M9EuM EE&M3ۋF!]GOF G FGE83ME_^[̋UQVt`}tZS]WKCu+ىE;s ?,tG;r+;uSVu P t Ew;rE_[t;r3^̋UQSVWhd3khl։EZu@9]D_^[̋UQQE3VWjMMYuj^VS] StM)u8vfntlmless.dllP?P?P?P?P456789:BAe hCC,HCB8@dhC<X0t` 0 P   00Tx` 0 P  N@DPQ Q,QFQRQlQvQQQQQNRQR*RQQ8PQPPBR8PPQ Q,QFQRQlQvQQQQQNRQR*RQQRtlDeleteCriticalSectionRtlInitializeCriticalSection1 _wcsicmpRtlEnterCriticalSection _stricmpRtlLeaveCriticalSection wcschr4 _wcsnicmp _strnicmpu strchrRtlAllocateHeapRtlFreeHeapntdll.dll VerifierRegisterProviderVerifierRegisterLayerVerifierIsLayerEnabled,VerifierUnregisterLayer(VerifierStopMessageExvrfcore.dlle memcpy Xp~     0 @ P X@ejx`a4VS_VERSION_INFO Le Le?<StringFileInfo040904B0LCompanyNameMicrosoft Corporation2FileDescriptionApplication Verifier Provider - NTLMLess Providern'FileVersion10.0.26100.3916 (WinBuild.160101.0800)>InternalNamevfntlmless.dll.LegalCopyright Microsoft Corporation. All rights reserved.FOriginalFilenamevfntlmless.dllj%ProductNameMicrosoft Windows Operating SystemDProductVersion10.0.26100.3916DVarFileInfo$Translation =AcquireCredentialsHandle acquires NTLM credential explicitly. Not used. Not used. Not used. Not used.AcquireCredentialsHandle is called directly or indirectly by the application with pszPackage = 'NTLM'. 'Negotiate' should be used to fix this issue. An example of bad call: AcquireCredentialsHandle( ... 'NTLM', // pszPackage ... ); An example of good call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... ); Please refer to help for more detailed information of this stop code.bAcquireCredentialsHandle prefers NTLM credentials. Please see Param1 for the value of PackageList. PackageList. Not used. Not used. Not used.Packagelist: %.*hs%.*wsAcquireCredentialsHandle is called directly or indirectly by the application with pszPackage = 'Negotiate'. However, NTLM is preferred in supplied credential (pAuthData). An example of bad call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... pAuthData, // pAuthData, ((SEC_WINNT_AUTH_IDENTITY_EX*)pAuthData)->PackageList is 'NTLM' or 'NTLM,KERBEROS' etc. ... ); An example of good call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... pAuthData, // pAuthData, ((SEC_WINNT_AUTH_IDENTITY_EX*)pAuthData)->PackageList = NULL or NTLM is less preferred. ... ); Please refer to help for more detailed information of this stop code.|AcquireCredentialsHandle mistakenly uses '-NTLM' to exclude NTLM credential. Please see Param1 for the value of PackageList. PackageList. Not used. Not used. Not used.PackageList: %.*hs%.*wsAcquireCredentialsHandle is called directly or indirectly by the application with supplied credential (pAuthData), in which '-NTLM' is mistakenly used to exclude NTLM credential. '!NTLM' should be used to fix this issue. An example of bad call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... pAuthData, // pAuthData, ((SEC_WINNT_AUTH_IDENTITY_EX*)pAuthData)->PackageList uses '-NTLM'. ... ); An example of good call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... pAuthData, // pAuthData, ((SEC_WINNT_AUTH_IDENTITY_EX*)pAuthData)->PackageList uses '!NTLM'. ... ); Please refer to help for more detailed information of this stop code.InitializeSecurityContext uses NULL target or malformed target for Kerberos service. Please see pszTargetName for the value of the target. Not used. Not used. Not used. Not used.pszTargetName: %hs%wsInitializeSecurityContext is called directly or indirectly by the application with pszTargetName being NULL or malformed, with which Kerberos cannot be possibly negotiated. The guidance to fix this issue to use Kerberos is provided as below: (1) The service the client application authenticates to should have its SPN uniquely registered in its forest; (2) The service must run under the identity,domain user or computer account, with this SPN registered; (3) InitializedSecuirtyContext should be called with this SPN. An example of bad call: InitializeSecurityContext( ... NULL, // pszTargetName ... ); Another example of bad call: InitializeSecurityContext( ... '\\localhost', // pszTargetName ... ); An example of good call: InitializeSecurityContext( ... 'myservice/mymachine.mydomain.com', // pszTargetName, myservice/mymachine.mydomain.com is a uniquely registered SPN under which the service runs. ... ); Please refer to help for more detailed information of this stop code.The client application downgrades to use NTLM authentication as the result of negotiation. Please see pAuthData for more details. pAuthData shows the credential and the target used for this negotiation. Not used. Not used. Not used. Not used.EpAuthData: %ws User: %hs%ws Domain: %hs%ws pszTargetName: %hs%wsThe client application downgrades to use NTLM authentication as the result of negotiation. There can be many reasons for this issue. The guidance of troubleshooting this issue is provided as below: (1) Turn on NTLMCaller appverifier layer if it was not on. This layer will catch commonly known issues that can cause the downgrade; (2) If pszTargetName is an SPN, make sure this SPN is uniquely registered in the forest (the SPN cannot be missing or duplicated); (3) The SPN must be looked up by the client system running client application; (4) The service must run under an identity with its Kerberos credential available; (5) The scenario should be reviewed by Windows security experts. Please refer to help for more detailed information of this stop code.?enable this layer to detect hard-coded call dependency on NTLM.]enable this layer to detect if negotiation of authentication packages downgrades to use NTLM.<0H0P000~777777778 888$82888?8D8K8X8]8d8r8}888888888888888888888899 9999%909;9B9K9R9\9d9k9q9v99999 ::):2:O:X:K<<<<<<<> ??+????? 080_0h0p0{00000 1'1/151>1J1c1l1x111111111111111112222$2(2.22282<2C2I2n2u222222 3F3`334*494O4U4z4444444K5T55555,6N6S6X6d666666+7f7799:B:I:`:f:s:z:::;4;;;; <#<)!>&>2>b>>>>>>4??0L!1^1n122224444r55556/6V6h66667c7v777788"8-8488@p22 2(2022222222222222H3T3h3p3t3|3333333333333333333344444 4(4,444P P0(0(  *H '0'10  `He0$ +700 +70¡մ$fڎ`10 +71S \ŏCC{ID,5^q/;jS)%sГK^'ALzM9ʀ+|8Fݤݒ,dL!ogH*Uw , 0便6`Ѐ{RXpwr1:g6͹<`d]gIGJQ壘|wD'h010  `He itqo]#zPBBb: v003XgK=l|0  *H  0~1 0 UUS10U Washington10URedmond10U Microsoft Corporation1(0&UMicrosoft Code Signing PCA 20100 240822192557Z 250705192557Z0t1 0 UUS10U Washington10URedmond10U Microsoft Corporation10UMicrosoft Corporation0"0  *H 0 cF9d16(V!)i+hzF`qCj<9L}0y0U%0 +7=+0UN#91_ -R-0TUM0KI0G1-0+U $Microsoft Ireland Operations Limited10U 230865+5027120U#0_{"XrN!t#20VUO0M0KIGEhttp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0Z+N0L0J+0>http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0 U00  *H  fXz}Y7||g!8!@cF(y^$e.7sяPܮs4OQM[5Fq//ER7.RAp,u^{oC#uf߾Y_qZ=eRi8wt"CbW9)B:1~m b5U2ʣVoj+?lr]BQ㻲H7?W %cg@0p0X a RL0  *H  01 0 UUS10U Washington10URedmond10U Microsoft Corporation1200U)Microsoft Root Certificate Authority 20100 100706204017Z 250706205017Z0~1 0 UUS10U Washington10URedmond10U Microsoft Corporation1(0&UMicrosoft Code Signing PCA 20100"0  *H 0 dPyg LVhDXOv|mE9eҏDe,U}.+A+KnILk‰q͵K̈k:&?4W]I*.ՅY?+t+;FFIfTUbWrg% 4]^(ղcӲȊ& Y5LR[ HwօGj-\`ƴ*[#_Eo73jMjfcx0ϕ00 +70U_{"XrN!t#20 +7  SubCA0 U0U00U#0Vˏ\bh=[Κ0VUO0M0KIGEhttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z+N0L0J+0>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0U 00 +7.00=+1http://www.microsoft.com/PKI/docs/CPS/default.htm0@+042 Legal_Policy_Statement. 0  *H  tWO){xP" 4*,Ͽ4ہ5oywNaZ#bQEg?<09@!)奡i"tGCS0i% moar,iv=Qۦ9H7amS˧a¿⃫k}(QJQlȷJi~IprGc֢DciFz?!{#-A˿Lﱜ"KInv[Sy=s5SP8f3'9x6N_=GS a=*ג,7Z>@B1V$]Qjy{%qDj#u1>0:00~1 0 UUS10U Washington10URedmond10U Microsoft Corporation1(0&UMicrosoft Code Signing PCA 20103XgK=l|0  `He0 *H  1  +70 +7 10  +70/ *H  1" uvU!Ir'הt-\ۛz0Z +7 1L0J$"Microsoft Windows" http://www.microsoft.com/windows0  *H opEMվ{F@:xPD$ƕ R2zԬesyCԺFrZ0SW{D2X]FY k%VHq DpF;ΈN]hc1…xòvZO4ZKCNXՌ+@"Zt?.]J^kDS8fV7ʂ, ZYdcW Ӊ$]TF0 +710 *H 010  `He0Z *H  IE0A +Y 010  `He Og+2E5ۨ $K=YgD\20250423091543.131Z0٤01 0 UUS10U Washington10URedmond10U Microsoft Corporation1-0+U $Microsoft Ireland Operations Limited1'0%U nShield TSS ESN:551A-05E0-D9471%0#UMicrosoft Time-Stamp Service0(03EYBO0  *H  0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100 240725183122Z 251022183122Z01 0 UUS10U Washington10URedmond10U Microsoft Corporation1-0+U $Microsoft Ireland Operations Limited1'0%U nShield TSS ESN:551A-05E0-D9471%0#UMicrosoft Time-Stamp Service0"0  *H 0 j|û$L`x^FQHQ\פ7}flm6ɻVsOHD[g+jS˯\^*D ؼe d2 &S:%BK3uc2A9@̭O$H`昂jf289kWdӄ[9LiN.##۪>-{wsK n:.rQ o_>k&.7r[!J͸& wA` i2iarth3hlϕ*y H3i2s"24L;)3h??aTvJ[U\ѠWQA>R9%@!&H^ވ_%y`Aabi8qZya.ȼȂTeG c+9k/\@9I$PY|*ae=Xע l5MԈK%"._$vOǵ` N\BGI0E0Ur[<)YYR0U#0]^b]eS5r0_UX0V0TRPNhttp://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l+`0^0\+0Phttp://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0 U00U% 0 +0U0  *H  :4=W;Sj_KGJ1y: ]3o CB^ot3v!PdXy !̸udI25 f p,KwN-FT.՗PILYv?׳r{"|KqW029*&J6T(ljj W_#%S|9ayav>!PA+7L}< u |=Y[m=\5#$;44PS*C Tڮ˴$ikEo3MP#&A`(ׂ}M֢g_nn=W=d ܝr3]up>dȨ +u,mZ9<+-|O}n_zzH&Dzq' x\mIE@@֮SD?l$ڃ!⛀@nng~Kh1kjyjc F20q0Y3kI0  *H  01 0 UUS10U Washington10URedmond10U Microsoft Corporation1200U)Microsoft Root Certificate Authority 20100 210930182225Z 300930183225Z0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100"0  *H 0 Lr! y$yՂҩlNu5WlJ⽹>`3\OfSqZ~JZ6gF# w2`}jRDFkvPDq\Q17 8n&S|9azĪri65&dژ;{3[~Rb%j]SVMݼ㑏9,Qpi 6-p15(㴇$ɏ~TUmh;Fz)7EFn20\O,b͹⍈䖬Jq[g`= s}AFu_4 }~ٞE߶r/}_۪~66L+nQsM7t4G|?Lۯ^s=CN39LBh.QFѽjZasg^(v3rק  co 6d[!]_0tعP a65Gk\RQ]%PzlrRą<7?xE^ڏriƮ{>j.00 +70# +7*RdĚhttp://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0  *H  U}*,g1$[rKo\>NGdx=139q6?dl|u9m1lѡ"fg:SMݘx6.Vi {jo)n?Hum m#TxSu$Wݟ=heV(U'$@]='@8)üTB  jBRu6as.,k{n?, x鑲[It 쑀=J>f;O2ٖtLrou04zP X@1Q{p( 6ںL 4$5g+ 挙"'B=%tt[jў>~13}{8pDѐȫ::bpcSMmqjU3XpfY0A0٤01 0 UUS10U Washington10URedmond10U Microsoft Corporation1-0+U $Microsoft Ireland Operations Limited1'0%U nShield TSS ESN:551A-05E0-D9471%0#UMicrosoft Time-Stamp Service# 0+q]4#Ehn`0~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100  *H  ȕ0"20250423020157Z20250424020157Z0w0= +Y 1/0-0 ȕ0 f00 06 +Y 1(0&0  +Y  0 00  *H   W\2{~Um ע!~-td_aj+T.g8#vr^qALQ5$&FΒ#?~_@iRČvgs٥irNwKR4Yr.GL$}U;MӭQ%ګQʘ7Ĉ`pu*7 VwW,9d]oEpPND" =}(d3R囱_TE+~F{ ?}IxRlb1)8ߚ#43dB`ꂢ7瀓590}-yc=3r1]tB|$sJ5='D^lFރqV