Strange Directories With Chinese Characters in C:

Question

I recently noticed a bunch of strange directories appear on the C: drive of one of my servers. Some of them seem to have Chinese characters and others are random characters. Inside the directories are dmp files. They are encoded so not much of it is human readable but inside the files, I was able to pick out some references to Citrix, in particular the Citrix Print service. Citrix is running on this server.

For a while now we have had an issue with the Citrix Print service crashing. So, I went through the event logs and was bale to correlate the recent crashes to the exact time that these folders and files were created. I then concluded that the dmp files were being created when the Citrix Print svc crashes and for some reason, Windows was misinterpreting the file names. To make sure, I sent some of the files to Citrix. They confirmed that they are dmp files being created by WER but they could not tell me where the Chinese characters are coming from. Nor could they tell me why this just suddenly started happening.

In light of the recent Citrix Netscaler breaches, I am asking for help from the Microsoft side to confirm that these are in fact dmp files being created by WER and not an IOC of something more serious. Has anyone seen behavior like this before?

Answer 1

Hello,

It is possible that the directories with Chinese characters and dmp files you are seeing on your C: drive are being created by Windows Error Reporting (WER) when the Citrix Print service crashes. WER is a feature of Microsoft Windows that collects and sends crash logs to Microsoft for analysis. The dmp files you are seeing could be memory dump files generated by WER when the Citrix Print service crashes.

As for the Chinese characters, it is possible that there is an issue with the encoding of the file names, causing them to be displayed incorrectly. This could be due to a misconfiguration or a bug in the software. It is also possible that the issue is related to the recent Citrix Netscaler breaches, but without further investigation, it is difficult to say for certain.

I would recommend checking your system for any signs of compromise and ensuring that all your software is up to date with the latest security patches.

reference link:

[eee5-b320-086-f50d] (microsoft.com)

How To Solve The Win10 Folder Name Is Garbled · (code-learner.com)

Thanks,

Answer 2

Thank you, for your response. I have checked the system and have not noticed any IOCs. From what I can tell, there is nothing out of the ordinary except for these folders and dmp files. I have upgraded our Netscaler to a patched version already as well. Would I be able to send a dmp file to you are someone else at Microsoft to confirm they were in fact generated by WER?

Answer 3

For the dump files, it is better to open start and search for feedback and open the Feedback Hub app and file a bug report and attach dump files there.

Send feedback to Microsoft with the Feedback Hub app - Microsoft Support

or contact a Microsoft online support engineer:

Global Customer Service phone numbers - Microsoft Support

Best Regards

Answer 4

Hi, folks.

There's a thread at Citrix docs that could help.

https://support.citrix.com/article/CTX582600/ctxexceptionhandlerexe-creates-dump-files-under-c-drive-in-vda

Tested here and the situation was solved for us.