Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-14 06:32:53	2025-06-14 07:03:39	1846 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,053 [root] INFO: Date set to: 20250614T06:32:52, timeout set to: 1800
2025-06-14 07:32:52,016 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-14 07:32:52,032 [root] DEBUG: Storing results at: C:\SQcwbVxajY
2025-06-14 07:32:52,032 [root] DEBUG: Pipe server name: \\.\PIPE\NetpWnMlHU
2025-06-14 07:32:52,032 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-14 07:32:52,032 [root] INFO: analysis running as an admin
2025-06-14 07:32:52,032 [root] INFO: analysis package specified: "exe"
2025-06-14 07:32:52,032 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-14 07:32:53,141 [root] DEBUG: imported analysis package "exe"
2025-06-14 07:32:53,141 [root] DEBUG: initializing analysis package "exe"...
2025-06-14 07:32:53,141 [lib.common.common] INFO: wrapping
2025-06-14 07:32:53,141 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-14 07:32:53,141 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\scp.exe
2025-06-14 07:32:53,141 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-14 07:32:53,141 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-14 07:32:53,141 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-14 07:32:53,141 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-14 07:32:53,376 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-14 07:32:53,485 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-14 07:32:53,532 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-14 07:32:53,548 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-14 07:32:53,548 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-14 07:32:53,548 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-14 07:32:53,548 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-14 07:32:53,564 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-14 07:32:53,564 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-14 07:32:53,564 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-14 07:32:53,564 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-14 07:32:53,564 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-14 07:32:53,564 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-14 07:32:53,564 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-14 07:32:53,564 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-14 07:32:53,564 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-14 07:32:53,564 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-14 07:32:53,564 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-14 07:32:53,719 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-14 07:32:53,719 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-14 07:32:53,719 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-14 07:32:53,719 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-14 07:32:53,719 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-14 07:32:53,719 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-14 07:32:53,719 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-14 07:32:53,719 [modules.auxiliary.disguise] INFO: Disguising GUID to 1c831361-9c65-4ad1-ae56-1746788f5006
2025-06-14 07:32:53,719 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-14 07:32:53,719 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-14 07:32:53,719 [root] DEBUG: attempting to configure 'Human' from data
2025-06-14 07:32:53,719 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-14 07:32:53,719 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-14 07:32:53,735 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-14 07:32:53,735 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-14 07:32:53,735 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-14 07:32:53,735 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-14 07:32:53,735 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-14 07:32:53,735 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-14 07:32:53,735 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-14 07:32:53,735 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-14 07:32:53,735 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-14 07:32:53,735 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-14 07:32:53,735 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-14 07:32:53,735 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-14 07:32:53,766 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-14 07:32:53,766 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-14 07:32:53,766 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-14 07:32:53,766 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-14 07:32:53,766 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-14 07:32:53,766 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-14 07:32:53,766 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-14 07:32:53,766 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\ObHfqd.dll, loader C:\tmp_gell1p8\bin\bcnwRwnA.exe
2025-06-14 07:32:53,829 [root] DEBUG: Loader: IAT patching disabled.
2025-06-14 07:32:53,829 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\ObHfqd.dll.
2025-06-14 07:32:53,860 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-14 07:32:53,860 [root] INFO: Disabling sleep skipping.
2025-06-14 07:32:53,860 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-14 07:32:53,860 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-14 07:32:53,860 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-14 07:32:53,860 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-14 07:32:53,860 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-14 07:32:53,876 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-14 07:32:53,876 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-14 07:32:53,876 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-14 07:32:53,876 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 3492, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-14 07:32:53,876 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-14 07:32:53,892 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-14 07:32:53,892 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-14 07:32:53,892 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\ObHfqd.dll.
2025-06-14 07:32:53,892 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-14 07:32:53,892 [root] DEB <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-14 06:32:53	2025-06-14 07:03:20	none

File Details

File Name	scp.exe
File Type	PE32+ executable (console) x86-64, for MS Windows
File Size	322560 bytes
MD5	2b26fed866ae32256a13e518ebd99a5e
SHA1	64cd2e217b8c6460983cd3ec6a424c3de9288276
SHA256	8860e4273f59caa71fa585697e291270f94cee83439e5c94726d918d7c72f362 [VT] [MWDB] [Bazaar]
SHA3-384	e7e785af03c951be3ba134c28755fe063813a29c5653a4e8f0c759ff4a6bbbd97cf5d26dd9029eb1e2fa3ae6bf099367
CRC32	8037F95A
TLSH	T159646A46F3A510F5D8B3D13D89526112F9B1B8264734E7DB47644A1A6F33AF0AE3EB20
Ssdeep	6144:WThqanTjXv0Xa6CRU+/WFg/jB5B07qnolqLC8Z+a:qqanTDv0q6B+/WGXnolGCQ
PE	File Strings BinGraph Vba2Graph VirusTotal

__fastcall

l$ VWATAVAWH

api-ms-win-core-kernel32-legacy-l1-1-0.dll

es-py

@.data

]utL+

af-za

xcalloc: zero size

stbE;

dfl:prtvBCc:i:P:q12346S:o:F:

de-DE

D8\$`t

GetStartupInfoW

mscoree.dll

FillConsoleOutputAttribute

en-TT

;:uNH

[15;2~

D$0Hc@

Saturday

|$ AUAVAWH

zh-HK

Sunday

[17;2~

D$ Hi

@A_A]A\_^

D$(L9

[1;6S

send - ERROR invalid arguments, buf:%p, len:%d, io:%p

sma-NO

8*uEI

[12;7~

smj-se

af-ZA

[19;2~

se-fi

L$xE3

mn-MN

A>pP&

__thiscall

LogonUserExExW failed with %d

fcntl(%d, F_GETFL): %s

do_cmd2: waitpid: %s

ReadConsoleInputW

w32_listen

%ls\conhost.exe --headless --width %d --height %d --signal 0x%x -- %ls

9D$Xs

L$HE3

d$(A_

D$8L9

fdopen - ERROR bad fd: %d

CreateEventA

option requires an argument -- %s

LSA auth request is successful for user:%s

</security>

%s - unable to generate token on 2nd attempt for user %ls

unknown option -- %s

f9D$`tNH

L(<A:

listen - ERROR:%d, io:%p

`local vftable constructor closure'

;:u#H

D$0HcL$0

size out of range

api-ms-win-core-string-l1-1-0.dll

VWAVH

L$@H+

[?1;2c

HcD$HH

8_^][

fopen - ERROR:%d

D$PH9D$Xv

L$xH3

040904b0

`vector copy constructor iterator'

sl-SI

xHcD$HH

C%04o %lld %s

H9(tAH

LCMapStringW

e+000

LoadLibraryExW

T$1L+

SetConsoleCursorPosition

LOCAL7

%s: not a regular file

new[]

D$PA#

UVWATAVAWI

HcD$0H

T$HE3

+D$pf

ta-IN

USVWATAUAVAWH

|$ fA

write - ERROR:%d, io:%p

%s_%d

LOCAL3

L$ |+L;

WS2_32.dll

en-zw

%s - OpenProcessToken failed with %d

cygwin

mk-mk

H9t$(

SetStdHandle

unknown option -- %c

xmalloc: zero size

tt-RU

.idata$5

log10

HA]_^]

GetWindowsDirectoryW failed with %d

%s\*.*

u"HcK

9D$@s

acceptEx - AcceptEx() ERROR:%d, io:%p

sms-FI

fcntl - ERROR not supported cmd:%d

CancelIo

es-AR

.pdata

dVIRTUAL USERS

es-sv

GetConsoleMode on hOutputConsole failed with %d

\$0eH

de-AT

`vector vbase copy constructor iterator'

Function not implemented

__vectorcall

Bad message

ar-TN

u.H9>uBA

GetSystemDirectory failed with error %d

9D$$|

[1;6P

zu-ZA

syr-SY

sk-SK

ar-om

spawn_child_internal

smn-fi

%s: truncate: %s

LSAAuthenticationPackage

f9<Ku

`virtual displacement map'

700PP

TranslateNameW

__PROGRAMDATA__

AA<Fu

scp%s%s%s%s

SetEvent

?f`Y4

[23;7~

`local static guard'

internal-sftp

ky-KG

[21;5~

`local static thread guard'

[23;2~

ar-bh

nb-no

bp(=>?g

0A^_^

Protocol not available

LsaRemoveAccountRights

HcD$DH

fF9du

`h`hhh

Resource deadlock avoided

connectex - ERROR: bind failed :%d, io:%p

Invalid seek

DEBUG1

@L9D$Ps

u9!\$0

I9\$ ~@H

da-DK

reliability

de-lu

do_local_cmd: no arguments

bs-BA-Latn

0A_A^A\_^

|$0d|

'''''''

api-ms-win-core-synch-l1-2-1.dll

|$ AVLc

socketio_bind

@8<.u

accept - ERROR: setsockopt failed:%d, io:%p

D8<;u

fB9<@}eH

failed to open file:%S error:%d

NAN(IND)

[19;8~

GetCommandLineW

\bash

xWI96tRI

-oClearAllForwardings=yes

dup - ERROR: DuplicatedHandle() :%d

No STREAM resources

[20;8~

smj-no

fC94wu

ineIA

GetStringTypeW

sq-al

sl-si

HcG(H

T$`A:

posix_spawn initialization failed

too large

pip - ERROR:%d

`A^_^

close - IO is still pending on closed socket. read:%d, write:%d, io:%p

COMSPEC

DefaultShellCommandOption

.CRT$XIA

RtlNtStatusToDosError

B8\(8

ca-es

'''''''''''''''

@8l$8t

A_A^A\_^]

w32_select

api-ms-win-core-rtlsupport-l1-1-0.dll

fD9\$pu

ffffff

D$@f;D$:t

[13;5~

8Tt'I

es-PA

D$(HcD$(L

sa-IN

ResetEvent

x UAVAWH

9D$@}WHcD$@H

D$P9D$<sl

fA96tdH

option doesn't take an argument -- %.*s

internal error

9D$ w,

<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

\$ UVWH

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%ls

?7zQ6$

[14;6~

[11;7~

ambiguous target

\sftp-server.exe"

recv - from CB ERROR:%d, io:%p

ntdll.dll

it-it

WriteConsoleOutputA

DeviceIoControl

T%llu 0 %llu 0

zh-CHT

ar-eg

A_A^A\_^

K0HcU

-oRemoteCommand=none

[1;8P

%s%s%s:%s

`eh vector vbase copy constructor iterator'

[23;4~

sr-SP-Cyrl

fcntl - ERROR unsupported flags %d, io:%p

D8d$@t

Address not available

WSASocketW

[21;8~

[11;8~

Failed to set console output code page from:%d to %d error:%d

xh-ZA

it-CH

0A_A^_^]

ConvertSidToStringSidW

[1;4P

upper

GetTickCount64

ar-DZ

unable to connect to pipe %ls, error: %d

es-HN

D$`9D$4}

secur32.dll

en-GB

L$(E3

fi-FI

ml-IN

H_^[]

en-nz

L$@D+

UVWAVAWH

File mtime %lld atime %lld

GetConsoleMode on STD_INPUT_HANDLE failed with %d

L$8H3

ka-GE

L(;A:

replacearg: tried to replace invalid arg %d >= %d

pipe - ERROR invalid parameter

H9D$@s

fcntl(%d, F_SETFL, ~O_NONBLOCK): %s

Address family not supported

_snprintf_s failed.

nl-nl

%s -t %s%s

GetCurrentDirectoryW

Bad file descriptor

-oPermitLocalCommand=no

TerminateProcess

en-jm

|$0v1

Resource temporarily unavailable

$u3fA9^

f9,Au

fr-ch

`string'

RSDS

en-BZ

9D$,})

l$ AVH

`udt returning'

1#IND

process_signals() - ERROR unexpected signals in queue: %d

sr-sp-latn

ar-AE

CompareStringW

%3lld.%1lld%c%s

pipe - ERROR sprintf_s %d

hr-ba

delete

cannot retrieve current user's SID

w32_bind

L$4Hk

unable to load module %ls at run time, error: %d

pt-pt

[1;4R

.CRT$XPZ

ko-KR

fcntl(%d, F_SETFL, O_NONBLOCK): %s

.text$x

t5HcD$x

AuthE

T$ E3

api-ms-win-core-processenvironment-l1-1-0.dll

__based(

SetFileAttributesW

api-ms-win-security-lsapolicy-l1-1-0.dll

No message is available on the STREAM head read queue

\logs\

blank

IsWellKnownSid

/dev/null

L$HH3

WATAWH

ar-YE

A^_^

en-CB

GetModuleHandleW

LsaLogonUser Succeeded (Impersonation: %d)

D$xH9D$hr

D$PI;

ar-sa

u"HcD$8H

api-ms-win-core-registry-l1-1-0.dll

L$ E3

w32_ftruncate

syr-sy

(A;;%s;;;WD)

D8t$8t

es-mx

D$ H;

GetConsoleCP

T$0H;

[24;7~

%s - unable to generate identity token for %s from custom lsa provider: %s

[1;5S

ru-RU

('8PW

ERROR:%d, io:%p

sv-fi

D$d9D$h

0A_A^_

pa-IN

.CRT$XPX

@8l$Ht

api-ms-win-core-interlocked-l1-1-0.dll

en-us

en-JM

FileTimeToSystemTime

Connection aborted by network

w32_connect

\$HM;

pt-PT

8]8}KD

es-DO

throughput

de-li

fD91u

<$Pt9

GetFullPathNameW

[1;6R

No error

GetProcAddress of %s failed with error %d.

Identifier removed

TermRead initiate - ERROR _beginthreadex %d, io:%p

GetFileType

usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]

ar-ye

UVWATAUAVAWH

GetOEMCP

CloseHandle

[20;4~

`RTTI

__clrcall

@.reloc

Too many open files in system

VWATAVAW

t$xfD

"%ls\ssh-shellhost.exe" ---pty %ls

Protocol wrong type for socket

ReadFileEx

connectex - ioctl ERROR:%d, io:%p

en-ie

GetSystemTimeAsFileTime

SetWaitableTimer

WSASend

ar-LB

AppPolicyGetThreadInitializationType

D$8 H

fA9\F

Wednesday

TERM=xterm-256color

write ERROR from cb(2):%d, io:%p

February

CryptStringToBinaryA

Protocol error

et-ee

SSH_AUTH_SOCK=\\.\pipe\openssh-ssh-agent

8Tt#H

api-ms-win-appmodel-runtime-l1-1-2

ukL9} t^

SetUnhandledExceptionFilter

|$HI+

ja-jp

D08@t

es-hn

fa-ir

write - ERROR from cb:%d, io:%p

id-id

t$HcD$

D$ E3

.text

BF>^G

restrict(

November

@UATAUAVAWH

FlsGetValue

GetEnvironmentStringsW

t(<#t

it-ch

TerminateThread

fo-FO

pt-BR

[15;5~

cntrl

mt-mt

LsaSidNameMappingOperation_Success

api-ms-win-security-provider-l1-1-0.dll

id-ID

couldn't find ProgramData environment variable

D8t$Ht

s WAVAWH

Result too large

No such device

Class Hierarchy Descriptor'

e0A_A^A]A\]

.idata$4

GetACP

abcdefghijklmnopqrstuvwxyz

api-ms-win-rtcore-ntuser-window-l1-1-0

SetHandleInformation failed, error = %d, pio = %p

mk-MK

D$@H;C

GetTokenInformation

se-FI

[12;5~

ar-ae

`managed vector destructor iterator'

ATAUAVH

VerSetConditionMask

socket - ERROR:%d, io:%p

n03>Pu

%s -f %s%s

mi-nz

File too large

sms-fi

posix_spawn: %s

%s/%s

%s ERROR: not sock :%d

HcD$ H

alram() - ERROR SetWaitableTimer() %d

LcuoH;

0A_A^A]A\_^]

fA94nu

=imb;D

do_local_cmd

( 8PX

tr-tr

fD90t

api-ms-win-core-file-l1-2-2

[1;3S

D9|$X

D$<Hk

en-IE

[1;5Q

NHcD$@H

%s\%s

eu-es

da-dk

|$ AVH

L(;E:

VHcD$@H

[14;8~

.text$mn$00

Operation in progress

t$ WH

%s is not in chroot jail

es-co

SetConsoleMode on STD_INPUT_HANDLE failed with %d

SetLastError

.rsrc$01

ru-ru

DebugBreak

socket - socket() ERROR:%d, io:%p

CreateConPty

ar-OM

3>N;kU

api-ms-win-core-console-l2-1-0.dll

mode not delimited

u~9t$Xt

A_A^A]A\_^[]

OpenSSH for Windows

fd %d is O_NONBLOCK

en-ZW

load_user_profile

9D$0|

D$VfA#

Successfully set console input code page from %d to %d

console supports the ansi parsing

[24;5~

[23;8~

B8\(9

UUUUUU

E+BHH

failed to retrieve the owner sid and dacl of file: %ls with error code: %d

open - ERROR: unsupported mode: %d

InitializeSListHead

%s;%s

uz-uz-latn

L$ HcI

api-ms-win-core-util-l1-1-0.dll

fD99t

UTF-8

Bad address

LeaveCriticalSection

[11;4~

tD<@u

[20;6~

;\$ |

fD96u

open - flags ERROR: wrong rw flags: %d

GetFinalPathNameByHandleW

ko-kr

!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

en-ZA

sr-SP-Latn

L$ SVWH

@A_A]A\_^][

__restrict

D$(H;

LocaleNameToLCID

ConvertStringSecurityDescriptorToSecurityDescriptorW failed with error code %d

[-l limit] [-o ssh_option] [-P port] [-S program] source ... target

sq-AL

L$PH3

.CRT$XPXA

xXI96tSI

T$@L+

[17;7~

D$pfA;

eu-ES

socketio_getpeername

@A^_^][

:u,f9Q

SetEndOfFile

uz-UZ-Latn

\scp.exe"

CreateDirectoryW

|$@-D

`local vftable'

[21;3~

Inappropriate I/O control operation

ar-SA

api-ms-win-core-localization-l1-2-0.dll

LcA<E3

No such file or directory

D$(H9

Successfully set console input code page from:%d to %d

sma-no

fr-BE

Type Descriptor'

T$PAi

October

@.rsrc

D!l$x@

es-bo

t{H9/tQL

`A_A^A]A\_^]

L$@L+

l$ E3

gu-in

`vector vbase constructor iterator'

0iN>/

%s - i am running as %s, returning process token since custom lsa is configured

nl-BE

w32_read

xdigit

fr-MC

D$(HcD$@H

eownerdead

ntelE

init_prog_paths

he-il

read - ERROR from cb :%d, io:%p

zh-mo

%s: LoadUserProfileW() failed for user %S with error %d.

[15;6~

9\$0u

:u$fA9N

ar-ma

9D$$sb

%s utf8_to_utf16() has failed to convert string:%s

ns-za

is-IS

ntdll

AllocateAndInitializeSid failed with account SID

FindWindowA

f9,pu

L$0H3

sw-KE

%s invalid argument cmd:%s

alpha

ESOFTWARE\OpenSSH

invalid

.rdata$zzzdbg

D$(iL$$

Genu3

|$":us

f94Au

DEBUG

div-MV

WAVAWH

Broken pipe

fr-LU

GetDriveTypeW

.rdata

D<P0I

api-ms-win-core-localization-l1-2-1

api-ms-win-core-errorhandling-l1-1-0.dll

IsValidSid: %d; is_valid_acl: %d

D$P9D$4

ur-PK

c(>\,

ar-SY

xcalloc: out of memory (allocating %zu bytes)

[24;4~

WSAGetOverlappedResult

vJH+

ar-jo

L$ WH

cs-cz

listen - listen() ERROR:%d io:%p

H9D$ s6

x AWH

t:<@u

fr-mc

SetHandleInformation

WaitForSingleObject

hi-in

T$0<

Operation not supported

socketio_getsockopt

\$8I;

[17;8~

GetStdHandle on OutputHandle failed with %d

/>58d%

OpenProcessToken

@A_A^]

UVWAUH

SSH_TERM_CONHOST_PARSER

L$0Hk

@UVWAVH

%s: invalid user name

0A_A^A\

api-ms-win-core-sysinfo-l1-1-0.dll

az-az-cyrl

fr-FR

ka-ge

sv-se

unable to retrieve wpgmptr

error: unexpected filename: %s

.idata$3

be-by

+h->|

pty commandline: %ls

uf!T$(H!T$

u"HcMHH

copy_file

(

select - ERROR: empty fd_sets

t$ UH

+M<7>

punct

%s - i am running as %s, returning process token

HcL$<H

connectex - ERROR CreateEvent failed:%d, io:%p

[20;7~

%s: Invalid account type: %d.

No such device or address

unexpected <newline>

uzKs@>

H9D$0t

fd %d is not O_NONBLOCK

se-se

acceptEx - getsockname() ERROR:%d, io:%p

D$PHcT$DH

debug2

`eh vector vbase constructor iterator'

scp.exe

ExpandEnvironmentStringsW

get_custom_lsa_package

SetFileTime

<$/weHc

failed to convert utf8 payload:%s error:%d

(A;;%s;;;%s)

UATAUAVAWH

HeapFree

es-CR

H9D$ s

SeRestorePrivilege

unable to retrieve system32 path

%s: User principal name lookup failed for user '%ls' (explicit: %d, implicit: %d)

xasprintf: could not allocate memory

L$@E3

%s: set times: %s

|$8;3

^<V7w

Friday

K&>.yC

L$@H3

az-AZ-Cyrl

CONIN$

9D$(}9H

IsValidCodePage

get_user_token

[17;5~

tKHcD$0H

HcD$`H

CompareStringEx

SetConsoleCtrlHandler

failed to set the environment variable:%s to value:%s, error:%d

en-au

SUVWATAUAWH

RoUninitialize

Too many levels of symbolic links

OpenSSH_7.7p1 for Windows

w32_getsockname

UWAVH

\$0H;

MultiByteToWideChar

recv - (2) ERROR:Unexpected IO state, io:%p

[17;6~

SetConsoleCursorInfo

lost connection

%s: invalid target

zh-MO

es-CL

D$0H9D$@t0H

\$:H;

GetAce() failed

pipe: %s

7.7.2.1

w32_settimes - CreateFileW ERROR:%d

api-ms-win-core-io-l1-1-0.dll

?D8d$@

c [1>H'

hr-HR

T$pfff

recv - from CB(2) ERROR:%d, io:%p

No such process

SystemTimeToTzSpecificLocalTime

ms-bn

-oForwardAgent=no

w32_send

>jtm}S

operator

en-CA

advapi32

tGHcD$@H

T$XE3

addargs: argument too long

tn-ZA

T$pkD$x<

api-ms-win-core-datetime-l1-1-1

sr-ba-cyrl

WSADuplicateSocket failed, WSALastError: %d

8mu%H

gfffA

space

.CRT$XTA

w32_getpeername

D$ D+

ERROR: unexpected wait end: %d

L$LE3

sw-ke

sftp-server.exe

ATAUH

Unknown error

xreallocarray: out of memory (%zu elements of %zu bytes)

`managed vector copy constructor iterator'

[12;2~

CreateProcessW

WATAUAVAWH

|$@-H

[24;6~

ro-RO

Sink: %s

en-ph

too small

quz-PE

api-ms-win-security-base-l1-1-0.dll

<${t

A_A^A]A\_

|$ E3

.CRT$XCAA

api-ms-win-core-sysinfo-l1-2-0.dll

T$4E3

\$ UH

[20;5~

lv-LV

rHcL$DL;

C847u

;Rich

.CRT$XTZ

[12;8~

Kerberos

vi-vn

CreateThread

.00cfg

LsaManageSidNameMapping failed with : %s

t$ UWAUAVAWH

[1;4S

failed to initialize w32posix wrapper

[1;3P

FreeLibrary

es-uy

1#INF

sftp-server

scp.pdb

ATAVAWH

KMGT

I96t4H

az-AZ-Latn

[1;7R

[1;3R

9D$ s

D$HH9D$8v

CreateNamedPipeA

GetCurrentThreadId

quz-ec

Not a socket

'L>[

obwQ4

[1;2R

FillConsoleOutputCharacterA

((((( H

%s/%s: name too long

GetProcessHeap

xmalloc: out of memory (allocating %zu bytes)

es-EC

send - ERROR: Unexpected IO state, io:%p

H!T$0D

Host is unreachable

POSIXLY_CORRECT

D$`L;

.cfguard

GetConsoleCursorInfo

FreeLibraryAndExitThread

--:-- ETA

api-ms-

[23;6~

dddd, MMMM dd, yyyy

D%04o %d %.1024s

GetDiskFreeSpaceExW

VIRTUAL USERS

Failed to copy %ls to %ls, error:%d

th-th

[2;5R

domain name "%.100s" contains invalid characters

socketio_getsockname

9D$ }!HcD$ H

fD9t$b

write - ERROR:read end of the pipe closed, io:%p

@SUVWAVAWH

syncio_initiate_write initiate - ERROR _beginthreadex %d, io:%p

D$0H;C

` AWL

T$PD+

ABCDEFGHIJKLMNOPQRSTUVWXYZ

ar-sy

|$ H;

mi-NZ

D$8H9D$@s$H

is-is

fr-lu

L$H9Hlt%H

access denied due to attempt to escape chroot jail

RegOpenKeyExW

[14;3~

0A_A^A]

Destination address required

/K /X

ReadConsoleW

QueueUserAPC

kn-IN

PA_A^A]A\_^]

T$8L+

0A_A\_

lv-lv

[12;4~

USVWAVH

D$8H;

api-ms-win-core-console-l1-1-0.dll

replacearg: argument too long

zh-CN

HcD$

M+BHH

es-BO

fA9<Bu

Value too large to be stored in data type

atime.sec not present

th-TH

send - ERROR:%d, io:%p

L$ SUVWH

LsaSidNameMappingOperation_MappingNotFound

en-NZ

sk-sk

de-ch

e8A_A^A]A\_^[]

iu+-,

[1;5P

`vftable'

uk-ua

u=HcD$ H

add_sid_mapping_to_lsa failed to map the user Sid

`dynamic atexit destructor for '

add_sid_mapping_to_lsa failed to map the group Sid

WSASocketW failed, WSALastError: %d

eother

recv - ERROR: Unexpected IO state, io:%p

9[u2H

6D8\$`u

A86taH

__stdcall

ext-ms-win-ntuser-windowstation-l1-1-0

\cmd.exe

gl-ES

ext-ms-win-ntuser-dialogbox-l1-1-0

[aOni*{

[15;3~

Directory not empty

bn-in

pHcD$@H

fr-CA

IsValidAcl

ProgramData

D$PE3

Negative file size

get_passwd

fD92t

hy-AM

%s: LsaLogonUser() failed: User '%s' Status: %08X SubStatus %d.

v,HcD$@H

SSH_TEST_ENVIRONMENT

fD94Fu

de-de

api-ms-win-core-synch-ansi-l1-1-0.dll

open - ERROR:%d

ambiguous option -- %.*s

[1;8R

UTF-16LEUNICODE

fr-be

%d:%02d:%02d

f94Bu

lower

fD92u

Successfully set console output code page from %d to %d

.rtc$TAA

(null)

MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

ar-MA

;H9>&X

</trustInfo>

8HtKH

protocol error: %s

%s: set mode: %s

sa-in

LOCAL1

%s: LookupAccountSid() failed: %d.

Socket is connected

ar-dz

[21;4~

Network is down

GetAce

Operation canceled

utf16_to_utf8 failed!

.CRT$XIC

M H1E

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

[19;5~

w32_fsync

t?H95U

H}*M;

en-PH

[1;7Q

LsaRegisterLogonProcess failed, error:%x

Executing: program %s host %s, user %s, command %s

HcA<H

VerifyVersionInfoW

A_A^A]A\_^]

.rtc$IZZ

Not enough space

`vbtable'

mn-mn

GetConsoleScreenBufferInfo

__eabi

cy-gb

es-es

A_A^]

-oRequestTTY=no

L$ L;

kk-kz

`vector deleting destructor'

L$4E3

fA;0t)fA98t

GetComputerNameW

hy-am

*StO9>T

[19;6~

ms-MY

[18;5~

HcD$$H

September

lookup_principal_name

ERROR

Failed to set console output code page from %d to %d error:%d

cy-GB

Resource device

9D$ u

SetEnvironmentVariableW

enotrecoverable

%D8d$@t

[1;3Q

ReadFile

L$<E3

.rtc$IAA

Text file busy

%3d%%

RegQueryValueExW

WideCharToMultiByte

@SVWH

Connection aborted

VWAUAVAWH

VarFileInfo

%s out of memory

9D$h~'

1#QNAN

Expression: %s

Complete Object Locator'

FindFirstFileExW

D$xH9D$h

BC?>6t9^

`omni callsig'

size not delimited

`vector constructor iterator'

LsaSidNameMappingOperation_DomainSidPrefixMismatch

chroot only supports absolute paths

y\PD>!

Invalid argument

No buffer space available

smn-FI

api-ms-win-core-libraryloader-l1-2-0.dll

D$hH9D$Xr

@USWATAUH

CreateFileW

smj-NO

|$0A_A^

es-cl

L$0E;

zh-TW

[1;8S

L$ VWAVH

[11;5~

hr-hr

ro-ro

fi-fi

scp:

ca-ES

zh-hk

`eh vector copy constructor iterator'

L$PE3

HH:mm:ss

w32_recv

sr-ba-latn

nl-NL

A84.u

GetTimeZoneInformation

et-EE

[19;7~

LsaSidNameMappingOperation_DomainNotFound

bg-bg

entiA

InitializeCriticalSectionAndSpinCount

@WAVAWH

user32

ExitThread

Executing:

xh-za

ar-ly

ReadFileEx() ERROR:%d, io:%p

A_A^A]A\_

.rtc$TZZ

cAMDD

fD9!u7A

fork is not supported

[11;2~

es-pr

s+HcD$

Lj[;>

DeleteCriticalSection

RaiseException

Hc]`M

fileio_open(), failed to allocate memory error:%d

\$ WH

RtlCaptureContext

%s: unable to assign SE_SERVICE_LOGON_NAME privilege, error: %d

[%d;%dR

bg-BG

DuplicateHandle

x ATAVAWH

gfffffffH

Couldn't open /dev/null: %s

CreateProcessAsUserW

-oBatchmode=yes

ProfileImagePath

%s: unable to remove SE_SERVICE_LOGON_NAME privilege, error: %d

%s - DuplicateToken failed with %d

[1;2Q

size not present

9D$@r

uz-UZ-Cyrl

Connection reset

` UAVAWH

HeapReAlloc

GetLengthSid

@87toH

:t_</u

es-do

GetStdHandle

[1;8Q

es-pa

c28fc6f98a2c44abbbd89d6a3037d0d9_POSIX_FD_STATE

A_A^_

@>%>b

D$8Hc

@h9D$ps

select - ERROR: max #events reached for select

WriteFile

he-IL

1#SNAN

A_A^A\

CreateRestrictedToken failed with %d

SSH_AUTH_SOCK

hu-hu

Failed to create directory:%ls error:%d

SetConsoleScreenBufferSize

D$0H;

cmd.exe

nan(ind)

u3HcH<H

Executing: 2nd program %s host %s, user %s, command %s

api-ms-win-core-heap-l2-1-0.dll

x AUAVAWH

api-ms-win-core-processthreads-l1-1-0.dll

ScrollConsoleScreenBufferA

tXHcD$ H

be-BY

lt-LT

LsaSidNameMappingOperation_NonMappingError

@USVWATAVAWH

fileio_connect called in unexpected state, pio = %p

xwpwpp

WSARecv

9D$ s!

March

memcpy_s failed with error: %d.

nb-NO

ja-JP

LCMapStringEx

f;D$$

CorExitProcess

Tuesday

Too many links

M(f95

A^^[

t(A8(t

~HcD$@H

%s: out of memory

Thursday

RtlLookupFunctionEntry

accept - ERROR: async io completed with error: %d, io:%p

|b=})>

x AVAWE3

L$xH;

mtime.sec not delimited

de-CH

QueryPerformanceCounter

December

`scalar deleting destructor'

AllocateAndInitializeSid failed with domain SID

[21;7~

|$^.u

add_sid_mapping_to_lsa failed to map the domain Sid

<htr<jtb<lt6<tt&<wt

GetCommandLineA

xcopy

\$ UVWATAUAVAWH

StringFileInfo

ar-EG

AppPolicyGetProcessTerminationMethod

t$ WAVAWH

Arg list too long

0A_A^A]A\_

spawning %ls

Exec format error

No locks available

w32_dup2

9D$@rZ

[15;4~

api-ms-win-core-handle-l1-1-0.dll

GetLogicalDriveStringsW

uz-uz-cyrl

%s: invalid uri

t'fE9

`copy constructor closure'

xcalloc: nmemb * size > SIZE_MAX

GetCPInfo

@b;zO]

%s - unable to generate sshd virtual token, ensure sshd service has TCB privileges

L$PfD

option requires an argument -- %c

es-ES

w32_writev

%s: Successfully discovered implicit principal name: '%ls'=>'%ls'

AA,A$

Filename too long

.text$mn

;7s:;

l$ VWAUAVAWH

L$ SH

LookupAccountSidW

[11;6~

)>6{1n

tn-za

LsaFreeMemory

kn-in

es-pe

%s failed to duplicate %s

L9"u&

kok-IN

te-in

Protocol not supported

WSASendCB - ERROR: broken assumption, io:%p, sent:%d, remaining:%d

(t$PH

DefaultShell

xpxxxx

ar-lb

%s%s%s

uk-UA

t$XE3

`eh vector constructor iterator'

LsaOpenPolicy

Message too long

es-cr

pipe - CreateNamedPipe() ERROR:%d

.xJ>Hf

Network unreachable

Ec28fc6f98a2c44abbbd89d6a3037d0d9_POSIX_CHROOT

`h````

tvHcD$ HcD

- stalled -

OpenThread

L9|$`

`placement delete[] closure'

se-no

'' !"''#$''''''#'''%&

L$`H3

bs-ba-latn

f9|$`t

LsaLookupAuthenticationPackage failed, lsa auth pkg:%ls error:%x

quz-bo

GetFileInformationByHandle

[12;6~

[14;5~

CONOUT$

target port not supported with two remote hosts without the -3 option

debug1

L$ SWH

[1;5R

ar-LY

Input/output error

Illegal byte sequence

IsDebuggerPresent

SetConsoleWindowInfo

hu-HU

Sending file modes: %s

bad port "%s"

RtlVirtualUnwind

[18;2~

xrecallocarray: out of memory (%zu elements of %zu bytes)

api-ms-win-core-string-l1-1-0

HfA;0

lowdelay

gl-es

|$ UH

sr-BA-Cyrl

April

GetModuleFileNameW

SetEnvironmentVariableA

Failed to set console input code page from %d to %d error:%d

api-ms-win-core-processthreads-l1-1-1.dll

__unaligned

A_A^A]_^

\\.\Pipe\W32PosixPipe.%08x.%08x

Connection timed out

Base Class Descriptor at (

File exists

Monday

LOCAL0

D$0Hc

Vr.>T

s4+sP+

|$h@s

.CRT$XCA

Address already in use

en-ca

es-SV

[23;5~

D$@9D$

tx@87ts@

0A_A^A]_]

t$8H+

UnhandledExceptionFilter

Operation would block

stdE;

send - ERROR: flags are not currently supported, io:%p

GetWindowsDirectoryW

HcL$0H

%s;%s;%.*s

w32_shutdown

dSOFTWARE\OpenSSH

?:kP<

system32\cmd

@SUVWATAUAVAWH

/Y /F /I

Error from vsnprintf_s!

[1;2P

\$ VWATAUAWH

HcD$<H

GetSystemDirectoryW

expected control record

select - ERROR: invalid fds: %d

f9,Yu

VS_VERSION_INFO

8&u#H

A:(uiI

nan(snan)

Failed to set console input code page from:%d to %d error:%d

open - ERROR: Unsupported flags: %d

[14;4~

A_A^_^]

DAEMON

.CRT$XCZ

select - ERROR: max #events breach

sma-SE

digit

write - ERROR:%d on prior unblocking write, io:%p

/x:/..

sv-SE

tHHcD$@H

nn-NO

D$$HcD$$H

w32_fchmod

LsaFreeMemory failed with ntstatus: %d

kernel32

__pascal

WSARecv - WSARecv() ERROR: io:%p %d

[1;7P

.CRT$XPA

SeBackupPrivilege

WaitForMultipleObjectsEx

.data

lt-lt

WSADuplicateSocketW

CRYPT32.dll

[15;8~

A_A^A]A\_^][

RtlUnwindEx

atime.sec not delimited

sma-se

en-tt

9D$h~3

No message of the desired type

SleepEx

api-ms-win-core-xstate-l2-1-0

mt-MT

KXHcS8

tQHcD$0H

LOCAL5

CreateFileA

recv - ERROR: flags are not currently supported, io:%p

!,X< w

|$p@s

80tWD

\$ UVWAVAWH

GetProcAddress

%4lld%c%s

PeekNamedPipe

[19;3~

ProductName

|$(A^

D+AHH

TlsGetValue

3>fvw

[1;6Q

sr-sp-cyrl

IsValidSecurityDescriptor return FALSE

select - ERROR: null fd_sets

fD97t

w32_setsockopt

.idata$6

D$`E3

ExitProcess

listen - CreateEvent() ERROR:%d, io:%p

zh-sg

api-ms-win-core-heap-l1-1-0.dll

el-GR

A^_^]

fr-fr

kok-in

tr-TR

ALL VIRTUAL USERS

D$HE3

?QY^&

L$ SUVWAVH

HcD$D3

es-gt

Link has been severed

9D$@}4HcD$@H

te-IN

[21;6~

?UUUUUU

FileVersion

fd %d setting O_NONBLOCK

ssh.exe

HeapSize

ar-tn

w32_dup

fD9$Au

L$hH3

\$0fD

IsValidSecurityDescriptor

p AWH

!>6'Y

TlsAlloc

ar-JO

D$49D$0}fHcD$0H

finish_connect - ERROR: async io completed with error: %d, io:%p

HcD$@H

GetConsoleMode

ext-ms-

t$ E3

D$09=

Improper link

LogonUserExExW

FakeDomain

Permission denied

SSH protocol v.1 is no longer supported

ar-KW

zh-cn

RoInitialize

generate_s4u_user_token

GetExitCodeProcess

dup2: %s

D$PHc

UAVAWH

A_A^_

fD9\$pt

GetFullPathNameA

OpenSSH SSH client

operator ""

ReadConsoleOutputA

D$A:.

unknown user %u

[14;7~

[15;7~

accept - ERROR:%d, io:%p

utf16_to_utf8 failed to convert lsa_auth_pkg_w:%ls

nn-no

quz-EC

%d %04d-%02d-%02d %02d:%02d:%02d.%03d %s

A^A]A\

div-mv

en-za

`dynamic initializer for '

fB94ht

Not a directory

__ptr64

xA_A^A]A\_^[]

ar-iq

strdup

L9|$P

H9D$ s{

BHcD$@H

D$PH;

f;T$:

es-GT

domain name "%.100s" contains consecutive separators

Operation not supported on socket

WSARecv - ERROR:%d, io:%p

|$\.u

fr-ca

D$0Hk

No child processes

Not a STREAM

es-PR

FakePasswd

DEBUG2

kk-KZ

Failed to open file:%S error:%d

ot$ H

D82u&H

/cygdrive/

VERBOSE

%s failed error:%d

Connection already in progress

de-LU

ms-my

HeapAlloc

A_A^A\_^

@SUAUAVH

SetConsoleTextAttribute

tt-ru

Not running as SYSTEM: skipping loading user profile

es-PY

FlsFree

HcL$@H

api-ms-win-core-winrt-l1-1-0

LsaSidNameMappingOperation_SidCollision

L$pH3

FreeEnvironmentStringsW

[17;3~

Is a directory

H3E H3E

en-AU

D$4Hk

hr-BA

Sending file timestamps: %s

LOCAL2

hi-IN

eLK(w

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0.dll

August

`vector destructor iterator'

D$8H9D$Hu+

[13;7~

MM/dd/yy

.rsrc$02

CreateWaitableTimerW

console doesn't support the ansi parsing

[24;3~

en-US

''''''''''''''''''''''''''''''''''

FindNextFileW

send - WSASend() ERROR:%d, io:%p

TlsSetValue

listen - Ioctl2 ERROR:%d, io:%p

WriteCB - ERROR: broken assumption, io:%p, wrote:%d, remaining:%d

LsaManageSidNameMapping failed with ntstatus: %d

?HcD$@H

FlsAlloc

FindClose

es-ve

st_mode_to_file_att()

en-gb

mtime.usec not delimited

L$HHc

fE90t

VWATAVAWH

[13;2~

:tY</u

uAiD$@

api-ms-win-security-systemfunctions-l1-1-0

l$0H;

[20;3~

api-ms-win-core-sysinfo-l1-2-1

L$(H3

L(:A:

powershell

D8l$ht

GetCurrentProcessId

ky-kg

L$XH3

`default constructor closure'

ERROR: MAX_FDS limit reached

%s ERROR: bad fd: %d

Interrupted function call

Operation not permitted

%s: Successfully discovered explicit principal name: '%ls'=>'%ls'

es-PE

bad mode

`vbase destructor'

@8t(8}

LsaAddAccountRights

(unspecified)

Base Class Array'

D+d$8H

w32_fcntl

Entering directory: %s

generate_sshd_virtual_token

pl-PL

[18;4~

listen - Ioctl1 ERROR:%d, io:%p

api-ms-win-core-file-l1-1-0.dll

CreateWaitableTimerA

9D$ }c

socketio_setsockopt

vi-VN

Invalid parameter in function: %ls. File: %ls Line: %d.

[13;3~

`placement delete closure'

atime.usec not delimited

Successfully set console output code page from:%d to %d

ar-kw

WaitForSingleObjectEx

[18;8~

[23;3~

w32_lseek

ar-QA

HcD$(H

WriteConsoleW

U8D8;A

`vcall'

api-ms-win-core-io-l1-1-1.dll

tZHcD$@H

V6E>`"(5

GetConsoleScreenBufferInfo failed with %d

4FM9'u

:tF<[A

connectex - ERROR ConnectEx() :%d, io:%p

fd %d clearing O_NONBLOCK

sspicli.dll

L$(D+

T$hD+

Unable to Print: Printer not assigned. Press any key to continue...

/HcD$@H

el-gr

%s: LookupAccountName() failed: %d.

[13;4~

@USVWH

FakeUser

ms-BN

HcH<H

.CRT$XIZ

connectex - ERROR: unsuppored address family:%d, io:%p

quz-pe

[13;6~

FATAL

InitializeCriticalSectionEx

8[u.H

!This program cannot be run in DOS mode.

@A^_^

es-ar

debug3

fA9<Fu

;D$Ds

L$ I;

D$PH+

The socket is not connected

K~Je#>!

L$ H+

api-ms-win-core-kernel32-legacy-l1-1-1.dll

A^_^[]

D$h9D$ }

`eh vector destructor iterator'

USER32.dll

January

L$&8\$&t-8Y

pipe - ERROR CreateFile() :%d

[20;2~

+f)>0'

recv - ERROR: invalid arguments, buf:%p, len:%d, io:%p

zu-za

tDE3

api-ms-win-core-synch-l1-1-0.dll

setsockop - ERROR: unsupported optname:%d io:%p

[17;4~

yBNu'

D$ f;

8A^A]][

cwd is not currently within chroot

fD9!u

|$8@s

@L9D$`s

D$ HcD$ H

w32_write

received directory without -r

EnterCriticalSection

LOCAL6

es-NI

\$ E3

ConvertStringSecurityDescriptorToSecurityDescriptorW

wait_for_any_event() - ERROR max events reached

process_custom_lsa_auth

D$P I

%s: LsaLogonUser() failed. User '%ls' Status: 0x%08X SubStatus %d.

L$`H;

%s - unable to generate user token for %s as i am not running as system

%s: unable to open policy handle, error: %d

t$0I;

WriteFileEx

Timer expired

LookupAccountNameW

`typeof'

w32_settimes - SetFileTime ERROR:%d

graph

/S /E /H

,I<%w

mtime.sec not present

</requestedPrivileges>

uoHcD$$H

700WP

GetCurrentProcess

f9|$^t&f

cs-CZ

nl-be

9D$0}-

LOCAL4

******

fa-IR

HcD$\H

d$ E3

advapi32.dll

lseek - ERROR, origin is not supported %d

__cdecl

D$@H+

fD9#u

LocalFree

u$HcD$0H

D$0HcD$0L

[1;7S

Connection refused

</assembly>

CryptBinaryToStringA

Domain error

A_A^_^][

smj-SE

r9D8v

Translation

(D$PH

en-cb

9D$@u

ar-qa

FlsSetValue

mr-IN

se-NO

~ $s%r

TlsFree

alnum

it-IT

finish_connect - ERROR: setsockopt failed:%d, io:%p

D$`9D$$}

SeServiceLogonRight

delete[]

GetNamedSecurityInfoW

HcD$DHcL$DH

failed to get final path of file with handle:%d error:%d

O:%sD:PAI(A;;FA;;;BA)(A;;FA;;;SY)%s%s

[24;2~

%s - ERROR:%d

L$ fff

[11;3~

.CRT$XIAC

No space left on device

zh-SG

L$0H;

D$49C

ProductVersion

FlushFileBuffers

domain name "%.100s" starts with invalid character

sv-FI

`managed vector constructor iterator'

.exe

HcL$03

%02d:%02d

I96t:H

[24;8~

gu-IN

ShowWindow

IsValidSid

.CRT$XIAA

pa-in

D$29D$h|

A_A^A\_^[]

es-ni

LsaClose

exec_command_with_pty

Too many open files

t$(I;

out of memory

api-ms-win-core-processthreads-l1-1-2

H9D$(

HcD$XH

[18;6~

ta-in

D$0E3

quz-BO

fA;8utI

.idata$2

w32_accept

?[u+H

x AVH

api-ms-win-core-debug-l1-1-0.dll

@SVAVH

[14;2~

L$(H+

unable to alloc memory

|$PE3

[18;7~

acceptEx - socket() ERROR:%d, io:%p

pl-pl

LceoA

u$HcD$ H

%s - failed to execute %ls, error:%d

@UAVAWH

ns-ZA

%s: %s

fC9<hu

H!D$ E

.xdata

D$$9D$ s

QUIET

8*u;I

api-ms-win-core-synch-l1-2-0

az-az-latn

\$HfA

actual_read %d exceeds the limit:%d

zh-CHS

api-ms-win-core-namedpipe-l1-1-0.dll

en-bz

de-at

api-ms-win-core-fibers-l1-1-1

"f9;t

kE>fvw

D8d$Xt

TUUUU

GetModuleHandleExW

LsaSidNameMappingOperation_NameCollision

WriteThread thread - ERROR QueueUserAPC failed %d, io:%p

[21;2~

[1;2S

L$xHc

api-ms-win-core-localization-obsolete-l1-2-0

t&D8d$@t

fr-CH

unable to know if I am running as system

es-UY

se-SE

SetFilePointerEx

es-CO

[18;3~

GetWindowPlacement

t$ WATAUAVAWH

GetLastError

[19;4~

@USVWATAUAVAWH

DEBUG3

\$@H;

ar-IQ

w32_fstat

zh-chs

[12;3~

fffffff

Read-only file system

failed to duplicate %s

es-VE

SetConsoleMode

p WATAUAVAWH

empty domain name

AllocateLocallyUniqueId failed, error:%d

D$ HcD$@H

LSA auth request, user:%s lsa_pkg:%s

socketio_shutdown

createFile_flags_setup() failed.

api-ms-win-security-lsalookup-l2-1-0.dll

api-ms-win-security-sddl-l1-1-0.dll

mr-in

zh-cht

D$P9D$0

read - no more data, io:%p

zh-tw

es-MX

pt-br

w32_getsockopt

CancelIoEx

pA_A^A]A\_^]

fcntl - SetHandleInformation failed with error:%d, io:%p

fA9<^u

api-ms-win-core-timezone-l1-1-0.dll

NAN(SNAN)

ur-pk

AllocateAndInitializeSid failed with group SID

%s - unable to generate token for user %ls

bn-IN

sr-BA-Latn

A_A^A]A\]

v2!L.2

f9,~u

es-ec

CancelWaitableTimer

CopySid

D$H9D$

ml-in

[1;4Q

`.rdata

[13;8~

ar-BH

T$0L+

RegCloseKey

MoHcE

GetFileAttributesExW

c28fc6f98a2c44abbbd89d6a3037d0d9_POSIX_CHROOT

f9<iu

fo-fo

de-LI

tYfff

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x0001d180	0x0005a485	0x0005a485	6.0	scp.pdb	2018-08-15 20:48:51	85d8c9b4fbf728e5f40c3f477eee0c79

Version Infos

FileVersion	7.7.2.1
ProductName	OpenSSH for Windows
ProductVersion	OpenSSH_7.7p1 for Windows
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x000380f0	0x00038200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.29
.rdata	0x00038600	0x0003a000	0x0000ddc8	0x0000de00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.28
.data	0x00046400	0x00048000	0x00009388	0x00005400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.84
.pdata	0x0004b800	0x00052000	0x00002724	0x00002800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.43
.rsrc	0x0004e000	0x00055000	0x000003d0	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.26
.reloc	0x0004e400	0x00056000	0x000007ac	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.32

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_VERSION	0x000550a0	0x000001ac	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.35	None
RT_MANIFEST	0x00055250	0x0000017d	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.91	None

Imports

Name	Address
SetConsoleCtrlHandler	0x14003a098
WriteConsoleW	0x14003a0a0
GetConsoleMode	0x14003a0a8
GetConsoleCP	0x14003a0b0
ReadConsoleW	0x14003a0b8
SetConsoleMode	0x14003a0c0
ReadConsoleInputW	0x14003a0c8

Name	Address
SetEnvironmentVariableA	0x14003a390
SetEnvironmentVariableW	0x14003a398
GetEnvironmentStringsW	0x14003a3a0
FreeEnvironmentStringsW	0x14003a3a8
GetStdHandle	0x14003a3b0
GetCommandLineA	0x14003a3b8
GetCommandLineW	0x14003a3c0
GetCurrentDirectoryW	0x14003a3c8
ExpandEnvironmentStringsW	0x14003a3d0
SetStdHandle	0x14003a3d8

Name	Address
WriteFileEx	0x14003a188
ReadFile	0x14003a190
ReadFileEx	0x14003a198
CreateFileW	0x14003a1a0
CreateDirectoryW	0x14003a1a8
GetFileInformationByHandle	0x14003a1b0
GetDriveTypeW	0x14003a1b8
GetDiskFreeSpaceExW	0x14003a1c0
GetFinalPathNameByHandleW	0x14003a1c8
GetFileAttributesExW	0x14003a1d0
SetFileAttributesW	0x14003a1d8
FlushFileBuffers	0x14003a1e0
SetFileTime	0x14003a1e8
GetFileType	0x14003a1f0
SetEndOfFile	0x14003a1f8
SetFilePointerEx	0x14003a200
CreateFileA	0x14003a208
GetLogicalDriveStringsW	0x14003a210
GetFullPathNameA	0x14003a218
FindClose	0x14003a220
FindFirstFileExW	0x14003a228
FindNextFileW	0x14003a230
GetFullPathNameW	0x14003a238
WriteFile	0x14003a240

Name	Address
DebugBreak	0x14003a140
IsDebuggerPresent	0x14003a148

Name	Address
DuplicateHandle	0x14003a250
SetHandleInformation	0x14003a258
CloseHandle	0x14003a260

Name	Address
RaiseException	0x14003a158
UnhandledExceptionFilter	0x14003a160
SetUnhandledExceptionFilter	0x14003a168
SetLastError	0x14003a170
GetLastError	0x14003a178

Name	Address
TerminateThread	0x14003a3e8
OpenProcessToken	0x14003a3f0
GetCurrentProcessId	0x14003a3f8
CreateThread	0x14003a400
QueueUserAPC	0x14003a408
CreateProcessW	0x14003a410
CreateProcessAsUserW	0x14003a418
TerminateProcess	0x14003a420
ExitThread	0x14003a428
GetCurrentProcess	0x14003a430
ExitProcess	0x14003a438
OpenThread	0x14003a440
TlsFree	0x14003a448
TlsSetValue	0x14003a450
GetExitCodeProcess	0x14003a458
GetStartupInfoW	0x14003a460
TlsGetValue	0x14003a468
TlsAlloc	0x14003a470
GetCurrentThreadId	0x14003a478

Name	Address
GetTickCount64	0x14003a5a8
GetWindowsDirectoryW	0x14003a5b0
GetSystemTimeAsFileTime	0x14003a5b8
GetSystemDirectoryW	0x14003a5c0

Name	Address
CryptStringToBinaryA	0x14003a000
CryptBinaryToStringA	0x14003a008

Name	Address
WSAStartup	0x14003a038
WSAGetOverlappedResult	0x14003a040
WSASend	0x14003a048
closesocket	0x14003a050
WSAGetLastError	0x14003a058
WSASocketW	0x14003a060
socket	0x14003a068
setsockopt	0x14003a070
getsockname	0x14003a078
WSARecv	0x14003a080
WSADuplicateSocketW	0x14003a088

Name	Address
CopySid	0x14003a610
IsWellKnownSid	0x14003a618
IsValidSid	0x14003a620
IsValidSecurityDescriptor	0x14003a628
IsValidAcl	0x14003a630
GetTokenInformation	0x14003a638
GetLengthSid	0x14003a640
GetAce	0x14003a648

Name	Address
LocalFree	0x14003a2a0

Name	Address
LookupAccountSidW	0x14003a658
LookupAccountNameW	0x14003a660

Name	Address
CreateNamedPipeA	0x14003a2e8
GetComputerNameW	0x14003a2f0

Name	Address
RegOpenKeyExW	0x14003a4a8
RegQueryValueExW	0x14003a4b0
RegCloseKey	0x14003a4b8

Name	Address
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14003a680
ConvertSidToStringSidW	0x14003a688

Name	Address
WaitForSingleObject	0x14003a528
InitializeCriticalSectionAndSpinCount	0x14003a530
DeleteCriticalSection	0x14003a538
SetEvent	0x14003a540
LeaveCriticalSection	0x14003a548
ResetEvent	0x14003a550
SleepEx	0x14003a558
CreateEventA	0x14003a560
WaitForMultipleObjectsEx	0x14003a568
WaitForSingleObjectEx	0x14003a570
EnterCriticalSection	0x14003a578
CancelWaitableTimer	0x14003a580
SetWaitableTimer	0x14003a588

Name	Address
CreateWaitableTimerW	0x14003a598

Name	Address
GetProcAddress	0x14003a310
GetModuleHandleW	0x14003a318
FreeLibrary	0x14003a320
GetModuleHandleExW	0x14003a328
LoadLibraryExW	0x14003a330
GetModuleFileNameW	0x14003a338
FreeLibraryAndExitThread	0x14003a340

Name	Address
SetConsoleScreenBufferSize	0x14003a0d8
SetConsoleTextAttribute	0x14003a0e0
SetConsoleWindowInfo	0x14003a0e8
ScrollConsoleScreenBufferA	0x14003a0f0
SetConsoleCursorInfo	0x14003a0f8
SetConsoleCursorPosition	0x14003a100
WriteConsoleOutputA	0x14003a108
GetConsoleCursorInfo	0x14003a110
GetConsoleScreenBufferInfo	0x14003a118
FillConsoleOutputAttribute	0x14003a120
FillConsoleOutputCharacterA	0x14003a128
ReadConsoleOutputA	0x14003a130

Name	Address
GetNamedSecurityInfoW	0x14003a670

Name	Address
WideCharToMultiByte	0x14003a4f0
MultiByteToWideChar	0x14003a4f8
GetStringTypeW	0x14003a500
CompareStringW	0x14003a508

Name	Address
Beep	0x14003a600

Name	Address
VerSetConditionMask	0x14003a5d0

Name	Address
VerifyVersionInfoW	0x14003a300

Name	Address
CancelIoEx	0x14003a2c0
DeviceIoControl	0x14003a2c8

Name	Address
CancelIo	0x14003a2d8

Name	Address
CreateWaitableTimerA	0x14003a518

Name	Address
LCMapStringW	0x14003a350
GetACP	0x14003a358
GetCPInfo	0x14003a360
GetOEMCP	0x14003a368
IsValidCodePage	0x14003a370

Name	Address
FindWindowA	0x14003a018
GetWindowPlacement	0x14003a020
ShowWindow	0x14003a028

Name	Address
RtlUnwindEx	0x14003a4c8
RtlCaptureContext	0x14003a4d0
RtlLookupFunctionEntry	0x14003a4d8
RtlVirtualUnwind	0x14003a4e0

Name	Address
IsProcessorFeaturePresent	0x14003a488

Name	Address
QueryPerformanceCounter	0x14003a498

Name	Address
InitializeSListHead	0x14003a2b0

Name	Address
SystemTimeToTzSpecificLocalTime	0x14003a5e0
FileTimeToSystemTime	0x14003a5e8
GetTimeZoneInformation	0x14003a5f0

Name	Address
PeekNamedPipe	0x14003a380

Name	Address
HeapReAlloc	0x14003a270
GetProcessHeap	0x14003a278
HeapFree	0x14003a280
HeapSize	0x14003a288
HeapAlloc	0x14003a290

Reports: JSON

Statistics (11.08)

Usage

Processing ( 11.02 seconds )

10.294 ProcessMemory
0.709 CAPE
0.01 BehaviorAnalysis
0.006 AnalysisInfo
0.001 Debug

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 bot_drive
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior
0.001 tampers_etw

Reporting ( 0.01 seconds )

0.005 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: scp.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 4728 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

\??\NUL
C:\Users\Packager\AppData\Local\Temp\scp.exe
C:\Users\Packager\AppData\Local\Temp\

\??\NUL

HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH
HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\DefaultShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-64934406-199802361-3218922526-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-64934406-199802361-3218922526-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\DefaultShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-64934406-199802361-3218922526-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Resources

Imports

api-ms-win-core-console-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

CRYPT32

WS2_32

api-ms-win-security-base-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-console-l2-1-0

api-ms-win-security-provider-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-io-l1-1-0

api-ms-win-core-io-l1-1-1

api-ms-win-core-synch-ansi-l1-1-0

api-ms-win-core-localization-l1-2-0

USER32

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-namedpipe-l1-1-0

api-ms-win-core-heap-l1-1-0