Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-14 09:07:08	2025-06-14 09:37:52	1844 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,350 [root] INFO: Date set to: 20250614T06:37:41, timeout set to: 1800
2025-06-14 07:37:41,731 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-14 07:37:41,731 [root] DEBUG: Storing results at: C:\qDdlkFnGz
2025-06-14 07:37:41,731 [root] DEBUG: Pipe server name: \\.\PIPE\wXevDSJXBA
2025-06-14 07:37:41,731 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-14 07:37:41,731 [root] INFO: analysis running as an admin
2025-06-14 07:37:41,731 [root] INFO: analysis package specified: "exe"
2025-06-14 07:37:41,731 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-14 07:37:42,153 [root] DEBUG: imported analysis package "exe"
2025-06-14 07:37:42,153 [root] DEBUG: initializing analysis package "exe"...
2025-06-14 07:37:42,153 [lib.common.common] INFO: wrapping
2025-06-14 07:37:42,153 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-14 07:37:42,153 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\sftp.exe
2025-06-14 07:37:42,153 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-14 07:37:42,168 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-14 07:37:42,168 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-14 07:37:42,168 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-14 07:37:42,387 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-14 07:37:42,481 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-14 07:37:42,512 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-14 07:37:42,527 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-14 07:37:42,543 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-14 07:37:42,543 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-14 07:37:42,543 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-14 07:37:42,543 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-14 07:37:42,543 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-14 07:37:42,543 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-14 07:37:42,543 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-14 07:37:42,543 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-14 07:37:42,543 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-14 07:37:42,543 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-14 07:37:42,543 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-14 07:37:42,543 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-14 07:37:42,543 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-14 07:37:42,543 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-14 07:37:42,700 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-14 07:37:42,700 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-14 07:37:42,700 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-14 07:37:42,700 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-14 07:37:42,700 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-14 07:37:42,700 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-14 07:37:42,700 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-14 07:37:42,700 [modules.auxiliary.disguise] INFO: Disguising GUID to eebf7374-c733-4252-9a71-d3c91b91d619
2025-06-14 07:37:42,700 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-14 07:37:42,700 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-14 07:37:42,700 [root] DEBUG: attempting to configure 'Human' from data
2025-06-14 07:37:42,700 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-14 07:37:42,700 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-14 07:37:42,700 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-14 07:37:42,700 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-14 07:37:42,700 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-14 07:37:42,700 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-14 07:37:42,700 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-14 07:37:42,700 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-14 07:37:42,700 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-14 07:37:42,700 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-14 07:37:42,700 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-14 07:37:42,700 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-14 07:37:42,700 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-14 07:37:42,700 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-14 07:37:42,731 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-14 07:37:42,731 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-14 07:37:42,731 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-14 07:37:42,731 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-14 07:37:42,731 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-14 07:37:42,731 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-14 07:37:42,731 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-14 07:37:42,731 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\EeGlvdpK.dll, loader C:\tmp_gell1p8\bin\PoaYJsgW.exe
2025-06-14 07:37:42,809 [root] DEBUG: Loader: IAT patching disabled.
2025-06-14 07:37:42,809 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\EeGlvdpK.dll.
2025-06-14 07:37:42,840 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-14 07:37:42,840 [root] INFO: Disabling sleep skipping.
2025-06-14 07:37:42,840 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-14 07:37:42,840 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-14 07:37:42,840 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-14 07:37:42,840 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-14 07:37:42,840 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-14 07:37:42,856 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-14 07:37:42,856 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-14 07:37:42,856 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-14 07:37:42,856 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 3696, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-14 07:37:42,856 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-14 07:37:42,871 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-14 07:37:42,871 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-14 07:37:42,871 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\EeGlvdpK.dll.
2025-06-14 07:37:42,871 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-14 07:37:42,871 [roo <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-14 09:07:08	2025-06-14 09:37:33	none

File Details

File Name	sftp.exe
File Type	PE32+ executable (console) x86-64, for MS Windows
File Size	390144 bytes
MD5	028093cc65e2e42efc5ae37f030aa164
SHA1	a83c9de27d43cfb56e827f693b05171b858d0256
SHA256	7651a9e5721c2fcee4c34a253062914ab93c7b3b415d313658b058aed4f2fde2 [VT] [MWDB] [Bazaar]
SHA3-384	11772bf54608627e07274a442aa95672ec3a814d1579ebf8c516a492e074274b502b241ad37ec222350df650a6911f39
CRC32	55FD2AB7
TLSH	T14B847C45F7A110F5D4B7D13C89625113F972BCAA0724A7CB67AC4A165F33AE0AE3E720
Ssdeep	6144:pqTjTw9mPw0bLaPpV+y9h+jdi2qAYE4/GgcKuzxywdrHGlUTONZJVxrgZmlx4Cjh:pqrw9mPw0bLaXb9h+Mh84/Gggx5AVx8o
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/73)

Full Results

Engine	Result	Engine	Result	Engine	Result

__fastcall

l$ VWATAVAWH

api-ms-win-core-kernel32-legacy-l1-1-0.dll

no stat information for %s

es-py

@.data

]utL+

Transfer complete, but requests still in queue

af-za

stbE;

de-DE

D8\$`t

GetStartupInfoW

mscoree.dll

PA^_^][

ln [-s] oldpath newpath Link remote file (-s for symlink)

%lld%c

FillConsoleOutputAttribute

en-TT

;:uNH

key bits do not match

[15;2~

error

D$0Hc@

Saturday

|$ AUAVAWH

zh-HK

Couldn't write to "%s": %s

Sunday

[17;2~

D$ Hi

@A_A]A\_^

D$(L9

send_string_attrs_request

send - ERROR invalid arguments, buf:%p, len:%d, io:%p

sma-NO

reget

8*uEI

H;k H

[12;7~

smj-se

af-ZA

[19;2~

se-fi

L$xE3

mn-MN

A>pP&

__thiscall

LogonUserExExW failed with %d

%11llu %11llu %11llu %11llu %s

ReadConsoleInputW

Invalid command.

Fetching %s to %s

w32_listen

D$0D;

%ls\conhost.exe --headless --width %d --height %d --signal 0x%x -- %ls

9D$Xs

L$HE3

d$(A_

D$8L9

fdopen - ERROR bad fd: %d

CreateEventA

option requires an argument -- %s

LSA auth request is successful for user:%s

</security>

%s - unable to generate token on 2nd attempt for user %ls

unknown option -- %s

f9D$`tNH

L(<A:

listen - ERROR:%d, io:%p

`local vftable constructor closure'

;:u#H

no matching host key type found

hardlink@openssh.com

chgrp grp path Change group of file 'path' to 'grp'

api-ms-win-core-string-l1-1-0.dll

L$@H+

VWAVH

[?1;2c

HcD$HH

8_^][

key encrypted using unsupported cipher

D$PH9D$Xv

Couldn't send packet: %s

SFTP protocol version %u

fopen - ERROR:%d

L$xH3

040904b0

%s: Failed to get directory contents

HcE H+

`vector copy constructor iterator'

sl-SI

xHcD$HH

LCMapStringW

H9(tAH

e+000

LoadLibraryExW

File "%s" not found.

SetConsoleCursorPosition

LOCAL7

%s: not a regular file

new[]

D$PA#

T$HE3

HcD$0H

%s: nonsensical number of entries

+D$pf

ta-IN

|$ fA

write - ERROR:%d, io:%p

Local working directory: %s

%s_%d

@SUVWAVH

LOCAL3

L$ |+L;

WS2_32.dll

en-zw

%s - OpenProcessToken failed with %d

cygwin

mk-mk

H9t$(

SetStdHandle

unknown option -- %c

xmalloc: zero size

tt-RU

.idata$5

log10

HA]_^]

GetWindowsDirectoryW failed with %d

%s\*.*

u"HcK

9D$@s

acceptEx - AcceptEx() ERROR:%d, io:%p

sms-FI

fcntl - ERROR not supported cmd:%d

CancelIo

es-AR

.pdata

dVIRTUAL USERS

es-sv

GetConsoleMode on hOutputConsole failed with %d

\$0eH

de-AT

`vector vbase copy constructor iterator'

Function not implemented

Size Used Avail (root) %%Capacity

__vectorcall

Bad message

`Rich

You must specify a path after a %s command.

ar-TN

@UVWAVAWH

u.H9>uBA

GetSystemDirectory failed with error %d

Received %d SSH2_FXP_NAME responses

9D$$|

HcL$ Hk

Connected to %s.

D$0LcL$0

D$@H=@W

zu-ZA

syr-SY

Changing group on %s

sk-SK

ar-om

spawn_child_internal

smn-fi

LSAAuthenticationPackage

f9<Ku

`virtual displacement map'

H9} H

700PP

TranslateNameW

__PROGRAMDATA__

AA<Fu

SetEvent

ID mismatch (%u != %u)

?f`Y4

`local static guard'

no matching MAC found

internal-sftp

ky-KG

am/pm

[21;5~

`local static thread guard'

nb-no

ar-bh

exit Quit sftp

bp(=>?g

0A^_^

[25;3~

Protocol not available

LsaRemoveAccountRights

HcD$DH

fF9du

`h`hhh

Resource deadlock avoided

connectex - ERROR: bind failed :%d, io:%p

Invalid seek

@L9D$Ps

DEBUG1

Can't set times on "%s": %s

I9\$ ~@H

u9!\$0

da-DK

Sent message SSH2_FXP_OPEN I:%u P:%s

reliability

de-lu

bs-BA-Latn

0A_A^A\_^

|$0d|

'''''''

api-ms-win-core-synch-l1-2-1.dll

|$ AVLc

socketio_bind

@8<.u

ru\E3

accept - ERROR: setsockopt failed:%d, io:%p

fB9<@}eH

A8<(u

Sent message SSH2_FXP_CLOSE I:%u

plain key provided where certificate required

failed to open file:%S error:%d

HcD$LH

NAN(IND)

Couldn't write to remote file "%s": %s

[19;8~

GetCommandLineW

\bash

xWI96tRI

dup - ERROR: DuplicatedHandle() :%d

No STREAM resources

insufficient buffer space

[20;8~

t3HcE

smj-no

[25;5~

get_msg_extended

fC94wu

ineIA

GetStringTypeW

sq-al

sl-si

send_string_request

HcG(H

Need cwd

Couldn't setstat on "%s": %s

T$`A:

posix_spawn initialization failed

too large

cd "%s"

pip - ERROR:%d

`A^_^

close - IO is still pending on closed socket. read:%d, write:%d, io:%p

COMSPEC

Unable to resume download of "%s": server reordered requests

DefaultShellCommandOption

.CRT$XIA

RtlNtStatusToDosError

B8\(8

ca-es

A\^]

'''''''''''''''

@8l$8t

w32_select

api-ms-win-core-rtlsupport-l1-1-0.dll

fD9\$pu

ffffff

Sending SSH2_FXP_REMOVE "%s"

[13;5~

8Tt'I

es-PA

D$(HcD$(L

sa-IN

ResetEvent

x UAVAWH

9D$@}WHcD$@H

D$P9D$<sl

fA96tdH

option doesn't take an argument -- %.*s

internal error

9D$ w,

disconnected

<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

\$ UVWH

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%ls

?7zQ6$

[14;6~

[11;7~

A_A^A]A\_]

Received reply T:%u I:%u R:%d

UWATAVAWH

Received more data than asked for %zu > %zu

\sftp-server.exe"

recv - from CB ERROR:%d, io:%p

ntdll.dll

Connection corrupted

it-it

WriteConsoleOutputA

DeviceIoControl

zh-CHT

HcE8H

! Escape to local shell

Couldn't canonicalize: %s

ar-eg

A_A^A\_^

Too many arguments.

K0HcU

do_init

`eh vector vbase copy constructor iterator'

sr-SP-Cyrl

fcntl - ERROR unsupported flags %d, io:%p

D8d$@t

incorrect passphrase supplied to decrypt private key

Address not available

WSASocketW

[21;8~

[11;8~

Failed to set console output code page from:%d to %d error:%d

xh-ZA

it-CH

0A_A^_^]

ConvertSidToStringSidW

A^^[]

upper

Couldn't rename file "%s" to "%s": %s

GetTickCount64

ar-DZ

unable to connect to pipe %ls, error: %d

es-HN

D$`9D$4}

secur32.dll

en-GB

L$(E3

fi-FI

ml-IN

H_^[]

en-nz

L$@D+

UVWAVAWH

GetConsoleMode on STD_INPUT_HANDLE failed with %d

L$0E3

L$8H3

D$ H+

ka-GE

L(;A:

replacearg: tried to replace invalid arg %d >= %d

pipe - ERROR invalid parameter

H9D$@s

Address family not supported

%s: buffer error: %s

_snprintf_s failed.

nl-nl

A_A^A\_]

H9D$0v*H

Remote working directory: %s

1Safhlnrt

do_download

sftp> %s

Too many matches for "%s".

GetCurrentDirectoryW

Bad file descriptor

TerminateProcess

en-jm

|$0v1

Resource temporarily unavailable

$u3fA9^

f9,Au

fr-ch

`string'

en-BZ

9D$,})

SVATAWH

l$ AVH

`udt returning'

1#IND

process_signals() - ERROR unexpected signals in queue: %d

sr-sp-latn

ar-AE

Expected SSH2_FXP_EXTENDED_REPLY(%u) packet, got %u

CompareStringW

A_A^A]

%3lld.%1lld%c%s

pipe - ERROR sprintf_s %d

hr-ba

delete

cannot retrieve current user's SID

w32_bind

L$4Hk

unable to load module %ls at run time, error: %d

pt-pt

statvfs@openssh.com

.CRT$XPZ

ko-KR

-oForwardX11 no

bignum is too large

\$ UVATH

Server did not send permissions for directory "%s"

.text$x

AuthE

-obatchmode yes

T$ E3

api-ms-win-core-processenvironment-l1-1-0.dll

__based(

SetFileAttributesW

api-ms-win-security-lsapolicy-l1-1-0.dll

No message is available on the STREAM head read queue

%s (%s).

\logs\

E8,?u

Local umask: %03lo

|$ ATAVAWH

/dev/null

L$HH#

L$HH3

WATAWH

blank

IsWellKnownSid

ar-YE

A^_^

en-CB

GetModuleHandleW

LsaLogonUser Succeeded (Impersonation: %d)

D$xH9D$hr

GetTimeFormatW

D$PI;

ar-sa

u"HcD$8H

api-ms-win-core-registry-l1-1-0.dll

L$ E3

w32_ftruncate

communication with agent failed

syr-sy

(A;;%s;;;WD)

D8t$8t

es-mx

VAVAWH

D$ H;

GetConsoleCP

[24;7~

%s - unable to generate identity token for %s from custom lsa provider: %s

memory allocation failed

ru-RU

('8PW

ERROR:%d, io:%p

Got file attribute "%.100s" len %zu

sv-fi

D$d9D$h

Couldn't symlink file "%s" to "%s": %s

0A_A^_

Operation unsupported

%s: sshbuf_new failed

pa-IN

.CRT$XPX

Uploading of file %s to %s failed!

lmkdir path Create local directory

@8l$Ht

api-ms-win-core-interlocked-l1-1-0.dll

en-us

en-JM

FileTimeToSystemTime

Connection aborted by network

w32_connect

\$HM;

pt-PT

8]8}KD

es-DO

agent contains no identities

throughput

de-li

@UWATAUAVAWH

fD91u

D8&t3H

<$Pt9

GetFullPathNameW

No error

GetProcAddress of %s failed with error %d.

SSH_FXP_REALPATH %s -> %s size %lu

Identifier removed

TermRead initiate - ERROR _beginthreadex %d, io:%p

GetFileType

quit Quit sftp

ar-ye

UVWATAUAVAWH

GetOEMCP

CloseHandle

[20;4~

`RTTI

__clrcall

@.reloc

Too many open files in system

VWATAVAW

t$xfD

"%ls\ssh-shellhost.exe" ---pty %ls

Protocol wrong type for socket

ReadFileEx

connectex - ioctl ERROR:%d, io:%p

en-ie

GetSystemTimeAsFileTime

Couldn't read from "%s": %s

SetWaitableTimer

Progress meter disabled

WSASend

ar-LB

AppPolicyGetThreadInitializationType

D$8 H

Remote version: %u

fA9\F

Wednesday

lls [ls-options [path]] Display local directory listing

TERM=xterm-256color

unknown/unsupported certificate type

write ERROR from cb(2):%d, io:%p

February

CryptStringToBinaryA

SSH2_FXP_RENAME

Protocol error

et-ee

u|HcD$ H

In write loop, ack for %u %u bytes at %lld

SSH_AUTH_SOCK=\\.\pipe\openssh-ssh-agent

8Tt#H

api-ms-win-appmodel-runtime-l1-1-2

-oProtocol %d

ukL9} t^

SetUnhandledExceptionFilter

|$HI+

ja-jp

D08@t

@*9D$

es-hn

fa-ir

t-A87t(A

write - ERROR from cb:%d, io:%p

id-id

t$HcD$

D$ E3

w`HcE H

.text

BF>^G

restrict(

Unrecognized internal syslog level code %d

November

@UATAUAVAWH

FlsGetValue

%b %e %Y

D95lE

GetEnvironmentStringsW

t(<#t

it-ch

TerminateThread

fo-FO

key lacks certificate data

pt-BR

f9=^r

[15;5~

Couldn't create directory: %s

cntrl

mt-mt

LsaSidNameMappingOperation_Success

api-ms-win-security-provider-l1-1-0.dll

id-ID

couldn't find ProgramData environment variable

D8t$Ht

s WAVAWH

s$HcD$

Result too large

No such device

do_hardlink

tilde_expand_filename: Path too long

Invalid packet back from SSH2_FXP_INIT (type %u)

Class Hierarchy Descriptor'

e0A_A^A]A\]

.idata$4

GetACP

abcdefghijklmnopqrstuvwxyz

api-ms-win-rtcore-ntuser-window-l1-1-0

SetHandleInformation failed, error = %d, pio = %p

mk-MK

D$@H;C

Sent message fd %d T:%u I:%u

GetTokenInformation

se-FI

[12;5~

ar-ae

`managed vector destructor iterator'

ATAUAVH

VerSetConditionMask

socket - ERROR:%d, io:%p

n03>Pu

mi-nz

File too large

sms-fi

posix_spawn: %s

Expected SSH2_FXP_NAME(%u) packet, got %u

%s ERROR: not sock :%d

HcD$ H

alram() - ERROR SetWaitableTimer() %d

do_close

LcuoH;

t$ E;

0A_A^A]A\_^]

fA94nu

t:HcD$X

=imb;D

1246afhpqrvCc:D:i:l:o:s:S:b:B:F:P:R:

rm path Delete remote file

( 8PX

tr-tr

file changed while reading

fD90t

api-ms-win-core-file-l1-2-2

D$<Hk

en-IE

NHcD$@H

%s\%s

eu-es

Can't get current ownership of remote file "%s"

da-dk

|$ AVH

Invalid number of requests "%s"

L(;E:

VHcD$@H

[14;8~

.text$mn$00

Operation in progress

t$ WH

%s is not in chroot jail

es-co

[25;8~

SetConsoleMode on STD_INPUT_HANDLE failed with %d

SetLastError

GetTimeFormatEx

.rsrc$01

ru-ru

DebugBreak

socket - socket() ERROR:%d, io:%p

CreateConPty

ar-OM

3>N;kU

api-ms-win-core-console-l2-1-0.dll

u~9t$Xt

A_A^A]A\_^[]

OpenSSH for Windows

en-ZW

key type does not match

load_user_profile

9D$0|

D$VfA#

Successfully set console input code page from %d to %d

console supports the ansi parsing

do_lsreaddir

[24;5~

B8\(9

UUUUUU

C,HcS(

E+BHH

Entering %s

failed to retrieve the owner sid and dacl of file: %ls with error code: %d

Inodes Used Avail (root) %%Capacity

open - ERROR: unsupported mode: %d

InitializeSListHead

%s;%s

uz-uz-latn

L$ HcI

protocol version mismatch

%.500s

api-ms-win-core-util-l1-1-0.dll

"%s" exists but is not a directory

fD99t

UTF-8

~XH;C

Bad address

Progress meter enabled

D$XH){

LeaveCriticalSection

[11;4~

passphrase is too short (minimum five characters)

[20;6~

;\$ |

fD96u

open - flags ERROR: wrong rw flags: %d

GetFinalPathNameByHandleW

ko-kr

!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

en-ZA

sr-SP-Latn

L$ SVWH

@A_A]A\_^][

__restrict

progress Toggle display of progress meter

D$(H;

D$PD9e

LocaleNameToLCID

could not load host key

ConvertStringSecurityDescriptorToSecurityDescriptorW failed with error code %d

sq-AL

L$PH3

.CRT$XPXA

xXI96tSI

GetDateFormatW

D$pfA;

[17;7~

eu-ES

socketio_getpeername

:u,f9Q

decode_attrib

SetEndOfFile

cd path Change remote directory to 'path'

uz-UZ-Latn

Couldn't fstat local file "%s": %s

\scp.exe"

%s: couldn't decode attrib: %s

CreateDirectoryW

|$@-D

`local vftable'

[21;3~

Inappropriate I/O control operation

ar-SA

api-ms-win-core-localization-l1-2-0.dll

LcA<E3

No such file or directory

D$(H9

Successfully set console input code page from:%d to %d

sma-no

fr-BE

Changing mode on %s

e0A_A^A]A\_^]

Type Descriptor'

October

@.rsrc

D!l$x@

es-bo

t{H9/tQL

`A_A^A]A\_^]

L$@L+

l$ E3

lcd path Change local directory to 'path'

gu-in

`vector vbase constructor iterator'

0iN>/

%s - i am running as %s, returning process token since custom lsa is configured

unknown or unsupported key type

nl-BE

w32_read

xdigit

fr-MC

D$(HcD$@H

eownerdead

Unable to stat local file "%s": %s

SetCurrentDirectoryW

ntelE

unexpected bytes remain after decoding

9D$ }

init_prog_paths

he-il

read - ERROR from cb :%d, io:%p

zh-mo

%s: LoadUserProfileW() failed for user %S with error %d.

[15;6~

9\$0u

:u$fA9N

ar-ma

9D$$sb

%s utf8_to_utf16() has failed to convert string:%s

ns-za

is-IS

ntdll

AllocateAndInitializeSid failed with account SID

FindWindowA

f9,pu

L$0H3

RSDSBg

sw-KE

%s invalid argument cmd:%s

alpha

Maximum directory depth exceeded: %d levels

l$ ATAVAWH

invalid

.rdata$zzzdbg

D$RH;

D$(iL$$

Genu3

|$":us

f94Au

do_upload

You must specify at least one path after a %s command.

DEBUG

div-MV

WAVAWH

Broken pipe

fr-LU

GetDriveTypeW

.rdata

D<P0I

api-ms-win-core-localization-l1-2-1

api-ms-win-core-errorhandling-l1-1-0.dll

IsValidSid: %d; is_valid_acl: %d

internal error: buffer is read-only

D$P9D$4

ur-PK

c(>\,

ar-SY

%12llu %12llu %12llu %12llu %s

xcalloc: out of memory (allocating %zu bytes)

[24;4~

GetSystemDirectory failed

WSAGetOverlappedResult

vJH+

Can't ls: "%s" not found

ar-jo

L$ WH

cs-cz

listen - listen() ERROR:%d io:%p

H9D$ s6

x AWH

fr-mc

!command Execute 'command' in local shell

WaitForSingleObject

Finish at %llu (%2d)

SetHandleInformation

hi-in

socketio_getsockopt

Operation not supported

\$8I;

[17;8~

L$ UVWATAUAVAWH

GetStdHandle on OutputHandle failed with %d

/>58d%

do_realpath

Can't change directory: "%s" is not a directory

OpenProcessToken

@A_A^]

UVWAUH

SSH_TERM_CONHOST_PARSER

L$0Hk

0A_A^A\

api-ms-win-core-sysinfo-l1-1-0.dll

az-az-cyrl

fr-FR

ka-ge

t$ WATAUAVAW

sv-se

Outbound message too long %zu

unable to retrieve wpgmptr

.idata$3

Batch file already specified.

be-by

Cannot download non-regular file: %s

+h->|

pty commandline: %ls

uf!T$(H!T$

u"HcMHH

copy_file

(

[25;7~

select - ERROR: empty fd_sets

t$ UH

+M<7>

-oPort %d

punct

%s - i am running as %s, returning process token

HcL$<H

connectex - ERROR CreateEvent failed:%d, io:%p

[20;7~

%s: Invalid account type: %d.

string too long

No such device or address

uzKs@>

H9D$0t

se-se

Resuming upload of %s to %s

acceptEx - getsockname() ERROR:%d, io:%p

debug2

`eh vector vbase constructor iterator'

scp.exe

ExpandEnvironmentStringsW

error in libcrypto

get_custom_lsa_package

SetFileTime

<$/weHc

stat %s: %s

failed to convert utf8 payload:%s error:%d

(A;;%s;;;%s)

UATAUAVAWH

HeapFree

es-CR

dir %s

H9D$ s

SeRestorePrivilege

unable to retrieve system32 path

DH GEX group out of range

%s: User principal name lookup failed for user '%ls' (explicit: %d, implicit: %d)

xasprintf: could not allocate memory

@UVAWH

L$@E3

|$8;3

^<V7w

L$ SUVWAVAWH

Friday

K&>.yC

L$@H3

az-AZ-Cyrl

CONIN$

%b %e %H:%M

9D$(}9H

IsValidCodePage

get_user_token

[17;5~

Multiple paths match, but destination "%s" is not a directory

tKHcD$0H

HcD$`H

CompareStringEx

SetConsoleCtrlHandler

failed to set the environment variable:%s to value:%s, error:%d

en-au

SUVWATAUAWH

RoUninitialize

Too many levels of symbolic links

OpenSSH_7.7p1 for Windows

w32_getsockname

UWAVH

\$0H;

no matching cipher found

MultiByteToWideChar

recv - (2) ERROR:Unexpected IO state, io:%p

Available commands:

[17;6~

SetConsoleCursorInfo

zh-MO

es-CL

A_A^A\

D$0H9D$@t0H

GetAce() failed

@VWAVH

do_statvfs

pipe: %s

fsync@openssh.com

7.7.2.1

w32_settimes - CreateFileW ERROR:%d

api-ms-win-core-io-l1-1-0.dll

?D8d$@

c [1>H'

Server does not support statvfs@openssh.com extension

hr-HR

T$pfff

recv - from CB(2) ERROR:%d, io:%p

mkdir path Create remote directory

No such process

SystemTimeToTzSpecificLocalTime

|$pD9e

ms-bn

fD9'H

w32_send

>jtm}S

No connection

operator

Received stat reply T:%u I:%u

en-CA

advapi32

tGHcD$@H

addargs: argument too long

tn-ZA

T$pkD$x<

api-ms-win-core-datetime-l1-1-1

sr-ba-cyrl

WSADuplicateSocket failed, WSALastError: %d

8mu%H

fD9#H

gfffA

space

.CRT$XTA

w32_getpeername

D$ D+

ERROR: unexpected wait end: %d

L$LE3

sw-ke

sftp-server.exe

Unknown error

xreallocarray: out of memory (%zu elements of %zu bytes)

`managed vector copy constructor iterator'

[12;2~

CreateProcessW

A]A\_^]

WATAUAVAWH

|$@-H

[24;6~

ro-RO

Looking up %s

Couldn't initialise connection to server

en-ph

too small

quz-PE

api-ms-win-security-base-l1-1-0.dll

<${t

A_A^A]A\_

|$ E3

.CRT$XCAA

api-ms-win-core-sysinfo-l1-2-0.dll

9D$ ~)

Couldn't open local file "%s" for reading: %s

\$ UH

Key is revoked

[20;5~

lv-LV

C847u

.CRT$XTZ

[12;8~

Kerberos

vi-vn

Couldn't sync file: %s

CreateThread

.00cfg

LsaManageSidNameMapping failed with : %s

t$ UWAUAVAWH

destination file bigger or same size as source file

failed to initialize w32posix wrapper

api-ms-win-core-datetime-l1-1-0.dll

es-uy

FreeLibrary

@SUVWH

send_read_request

1#INF

sftp-server

chmod

ATAVAWH

KMGT

I96t4H

az-AZ-Latn

9D$ s

D$HH9D$8v

CreateNamedPipeA

D8&t!

GetCurrentThreadId

quz-ec

Not a socket

bye Quit sftp

SOFTWARE\OpenSSH

'L>[

obwQ4

FillConsoleOutputCharacterA

A_A^^

((((( H

E0t H

chdir

GetProcessHeap

xmalloc: out of memory (allocating %zu bytes)

es-EC

Uploading %s to %s

send - ERROR: Unexpected IO state, io:%p

H!T$0D

Host is unreachable

POSIXLY_CORRECT

D$`L;

.cfguard

GetConsoleCursorInfo

Sent message SSH2_FXP_WRITE I:%u O:%llu S:%u

afPpRr

Expected SSH2_FXP_STATUS(%u) packet, got %u

FreeLibraryAndExitThread

--:-- ETA

api-ms-

dddd, MMMM dd, yyyy

GetDiskFreeSpaceExW

VIRTUAL USERS

Failed to copy %ls to %ls, error:%d

th-th

[2;5R

domain name "%.100s" contains invalid characters

socketio_getsockname

9D$ }!HcD$ H

fD9t$b

write - ERROR:read end of the pipe closed, io:%p

%s: offset < 0

@SUVWAVAWH

syncio_initiate_write initiate - ERROR _beginthreadex %d, io:%p

D$0H;C

` AWL

T$PD+

ABCDEFGHIJKLMNOPQRSTUVWXYZ

ar-sy

|$ H;

mi-NZ

D$8H9D$@s$H

is-is

fr-lu

lumask umask Set local umask to 'umask'

L$H9Hlt%H

ftruncate "%s": %s

access denied due to attempt to escape chroot jail

RegOpenKeyExW

[14;3~

0A_A^A]

Received reply T:%u I:%u

Destination address required

ReadConsoleW

QueueUserAPC

Unexpected reply %u

certificate does not match key

kn-IN

PA_A^A]A\_^]

0A_A\_

Unable to stat remote directory "%s"

message authentication code incorrect

lv-lv

[12;4~

USVWAVH

D$8H;

fstatvfs@openssh.com

api-ms-win-core-console-l1-1-0.dll

replacearg: argument too long

zh-CN

HcD$

M+BHH

es-BO

fA9<Bu

Connection lost

Value too large to be stored in data type

? Synonym for help

th-TH

send - ERROR:%d, io:%p

L$ SUVWH

LsaSidNameMappingOperation_MappingNotFound

en-NZ

Removing %s

sk-sk

de-ch

e8A_A^A]A\_^[]

iu+-,

`vftable'

%d is not implemented

uk-ua

u=HcD$ H

add_sid_mapping_to_lsa failed to map the user Sid

`dynamic atexit destructor for '

add_sid_mapping_to_lsa failed to map the group Sid

WSASocketW failed, WSALastError: %d

eother

recv - ERROR: Unexpected IO state, io:%p

I9^ I

9[u2H

6D8\$`u

T$ D){

A86taH

__stdcall

\cmd.exe

ext-ms-win-ntuser-windowstation-l1-1-0

tilde_expand_filename: ~username too long

gl-ES

Interrupt

ext-ms-win-ntuser-dialogbox-l1-1-0

[aOni*{

[15;3~

Directory not empty

bn-in

pHcD$@H

fr-CA

IsValidAcl

ProgramData

get_passwd

fD92t

hy-AM

%s: LsaLogonUser() failed: User '%s' Status: %08X SubStatus %d.

v,HcD$@H

SSH_TEST_ENVIRONMENT

fD94Fu

de-de

api-ms-win-core-synch-ansi-l1-1-0.dll

Server did not send times for directory "%s"

open - ERROR:%d

ambiguous option -- %.*s

UTF-16LEUNICODE

fr-be

%d:%02d:%02d

f94Bu

lower

fD92u

A_A\_

Successfully set console output code page from %d to %d

.rtc$TAA

(null)

MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

ar-MA

;H9>&X

</trustInfo>

8HtKH

sa-in

LOCAL1

%s: LookupAccountSid() failed: %d.

HcS H

Socket is connected

ar-dz

[21;4~

Network is down

GetAce

rekeying not supported by peer

Operation canceled

utf16_to_utf8 failed!

.CRT$XIC

M H1E

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

[19;5~

w32_fsync

H}*M;

en-PH

@WAVH

LsaRegisterLogonProcess failed, error:%x

HcA<H

VerifyVersionInfoW

A_A^A]A\_^]

get%s %s%s%s

wFHcN

.rtc$IZZ

Not enough space

`vbtable'

mn-mn

GetConsoleScreenBufferInfo

__eabi

cy-gb

es-es

A_A^]

L$ L;

kk-kz

`vector deleting destructor'

L$4E3

fA;0t)fA98t

GetComputerNameW

hy-am

*StO9>T

[19;6~

ms-MY

[18;5~

HcD$$H

September

lookup_principal_name

tilde_expand_filename: No such uid %ld

ERROR

Failed to set console output code page from %d to %d error:%d

|$@{u

cy-GB

Resource device

9D$ u

SetEnvironmentVariableW

enotrecoverable

%D8d$@t

ReadFile

9;~'3

L$<E3

.rtc$IAA

Text file busy

get_decode_statvfs

%3d%%

RegQueryValueExW

WideCharToMultiByte

@SVWH

Connection aborted

VWAUAVAWH

VarFileInfo

%s out of memory

9D$h~'

1#QNAN

Expression: %s

pwd Display remote working directory

%s %3s %-*s %-*s %8llu %s %s

key not found

Complete Object Locator'

Received message too long %u

FindFirstFileExW

D$xH9D$h

BC?>6t9^

`omni callsig'

`vector constructor iterator'

LsaSidNameMappingOperation_DomainSidPrefixMismatch

[25;6~

symlink oldpath newpath Symlink remote file

chroot only supports absolute paths

y\PD>!

Invalid argument

No buffer space available

smn-FI

api-ms-win-core-libraryloader-l1-2-0.dll

Couldn't set mode on "%s": %s

D$hH9D$Xr

version Show SFTP version

CreateFileW

smj-NO

|$0A_A^

es-cl

L$0E;

zh-TW

L$ VWAVH

Invalid buffer size "%s"

[11;5~

hr-hr

ro-ro

fi-fi

ca-ES

zh-hk

`eh vector copy constructor iterator'

HH:mm:ss

Expected SSH2_FXP_STATUS(%d) packet, got %d

w32_recv

sr-ba-latn

nl-NL

A84.u

GetTimeZoneInformation

et-EE

[19;7~

Sent message fsync@openssh.com I:%u

LsaSidNameMappingOperation_DomainNotFound

bg-bg

entiA

InitializeCriticalSectionAndSpinCount

%s: Invalid flag -%c

user32

USWAUAVAWH

ExitThread

xh-za

ar-ly

ReadFileEx() ERROR:%d, io:%p

A_A^A]A\_

.rtc$TZZ

Attached to %s.

%3llu%%

cAMDD

fD9!u7A

fork is not supported

[11;2~

es-pr

D$0<e

s+HcD$

D$DH;

Lj[;>

DeleteCriticalSection

RaiseException

Hc]`M

fileio_open(), failed to allocate memory error:%d

\$ WH

success

RtlCaptureContext

H95}L

Invalid key length

A]A\]

%s: unable to assign SE_SERVICE_LOGON_NAME privilege, error: %d

[%d;%dR

bg-BG

xMHcC

DuplicateHandle

x ATAVAWH

gfffffffH

Couldn't open /dev/null: %s

CreateProcessAsUserW

Unknown status

L$Pt H

ProfileImagePath

%s: unable to remove SE_SERVICE_LOGON_NAME privilege, error: %d

%s - DuplicateToken failed with %d

Unknown ls sort type

9D$@r

uz-UZ-Cyrl

Connection reset

version

` UAVAWH

"%s" is not a directory

HeapReAlloc

GetLengthSid

@87toH

@84(u

es-do

GetStdHandle

D8d$8t

Server sent suspect path "%s" during readdir of "%s"

H95hI

es-pa

c28fc6f98a2c44abbbd89d6a3037d0d9_POSIX_FD_STATE

Unable to canonicalize path "%s"

A_A^_

@>%>b

D$8Hc

@h9D$ps

Expected SSH2_FXP_ATTRS(%u) packet, got %u

unexpected internal error

select - ERROR: max #events reached for select

WriteFile

Multiple source paths, but destination "%s" is not a directory

he-IL

@8<(u

1#SNAN

A_A^A\

Couldn't open local file "%s" for writing: %s

CreateRestrictedToken failed with %d

SSH_AUTH_SOCK

hu-hu

You must supply a numeric argument to the %s command.

Failed to create directory:%ls error:%d

SetConsoleScreenBufferSize

D$0H;

cmd.exe

Couldn't get local cwd: %s

nan(ind)

u3HcH<H

Couldn't stat directory "%s": %s

api-ms-win-core-heap-l2-1-0.dll

x AUAVAWH

api-ms-win-core-processthreads-l1-1-0.dll

ScrollConsoleScreenBufferA

tXHcD$ H

be-BY

lt-LT

LsaSidNameMappingOperation_NonMappingError

@USVWATAVAWH

GetSystemTimePreciseAsFileTime

A]A\^[]

fileio_connect called in unexpected state, pio = %p

xwpwpp

WSARecv

9D$ s!

March

memcpy_s failed with error: %d.

elliptic curve point is too large

ja-JP

nb-NO

LCMapStringEx

This server does not support the symlink operation

f;D$$

syncing "%s"

CorExitProcess

Tuesday

Too many links

M(f95

incomplete message

@SAVH

A^^[

t(A8(t

number is too large

~HcD$@H

%s: out of memory

Thursday

RtlLookupFunctionEntry

accept - ERROR: async io completed with error: %d, io:%p

|b=})>

x AVAWE3

L$xH;

de-CH

QueryPerformanceCounter

Ensure the remote shell produces no output for non-interactive sessions.

December

`scalar deleting destructor'

AllocateAndInitializeSid failed with domain SID

t$0E3

[21;7~

|$^.u

Couldn't close file: %s

add_sid_mapping_to_lsa failed to map the domain Sid

<htr<jtb<lt6<tt&<wt

GetCommandLineA

\$ VH

rename oldpath newpath Rename remote file

do_rename

HcL$0E3

\$ UVWATAUAVAWH

StringFileInfo

ar-EG

AppPolicyGetProcessTerminationMethod

t$ WAVAWH

Arg list too long

get [-afPpRr] remote [local] Download file

do_fsync

0A_A^A]A\_

No locks available

Exec format error

w32_dup2

spawning %ls

9D$@rZ

[15;4~

api-ms-win-core-handle-l1-1-0.dll

GetLogicalDriveStringsW

uz-uz-cyrl

t'fE9

`copy constructor closure'

GetCPInfo

@b;zO]

lpwd Print local working directory

%s - unable to generate sshd virtual token, ensure sshd service has TCB privileges

L$PfD

option requires an argument -- %c

es-ES

w32_writev

%s: Successfully discovered implicit principal name: '%ls'=>'%ls'

AA,A$

Can't ls: Too many matches for "%s"

Filename too long

Couldn't read directory: %s

.text$mn

l$ VWAUAVAWH

Short data block, re-requesting %llu -> %llu (%2d)

L$ SH

Unexpected ACK %u

LookupAccountSidW

[11;6~

)>6{1n

tn-za

LsaFreeMemory

kn-in

KRL file has invalid magic number

es-pe

%s failed to duplicate %s

L9"u&

kok-IN

te-in

Protocol not supported

WSASendCB - ERROR: broken assumption, io:%p, sent:%d, remaining:%d

(t$PH

DefaultShell

A\_^][

xpxxxx

D;=63

GetSystemDirectoryA

Server supports extension "%s" revision %s

ar-lb

%s%s%s

uk-UA

ls: Invalid flag -%c

t$XE3

`eh vector constructor iterator'

LsaOpenPolicy

Message too long

es-cr

pipe - CreateNamedPipe() ERROR:%d

.xJ>Hf

Network unreachable

Unterminated quoted argument

Ec28fc6f98a2c44abbbd89d6a3037d0d9_POSIX_CHROOT

reput

`h````

Couldn't sync file "%s": %s

tvHcD$ HcD

- stalled -

OpenThread

`placement delete[] closure'

se-no

'' !"''#$''''''#'''%&

L$`H3

bs-ba-latn

f9|$`t

LsaLookupAuthenticationPackage failed, lsa auth pkg:%ls error:%x

quz-bo

D$@E3

GetFileInformationByHandle

Retrieving %s

Failure

%s is not a regular file

[12;6~

Couldn't stat remote file: %s

[14;5~

CONOUT$

debug1

%s: lstat failed: %s

-oPermitLocalCommand no

L$ SWH

ar-LY

Input/output error

A_^]

t?H95

D8d$Ht

|$B}u

Bad port "%s"

Illegal byte sequence

IsDebuggerPresent

Download of file %s to %s failed

SetConsoleWindowInfo

t8HcE

hu-HU

@A_A^A\

RtlVirtualUnwind

[18;2~

xrecallocarray: out of memory (%zu elements of %zu bytes)

api-ms-win-core-string-l1-1-0

HfA;0

lowdelay

gl-es

sr-BA-Cyrl

April

GetModuleFileNameW

SetEnvironmentVariableA

Failed to set console input code page from %d to %d error:%d

api-ms-win-core-processthreads-l1-1-1.dll

__unaligned

A_A^A]_^

\\.\Pipe\W32PosixPipe.%08x.%08x

Connection timed out

remote open("%s")

Base Class Descriptor at (

File exists

Monday

LOCAL0

D$0Hc

Vr.>T

s4+sP+

@SUVWATH

|$h@s

Couldn't close local file "%s": %s

elliptic curve does not match

.CRT$XCA

Address already in use

D8<8u

en-ca

es-SV

BKMGTPE

D$@9D$

tx@87ts@

0A_A^A]_]

t$8H+

UnhandledExceptionFilter

Operation would block

stdE;

send - ERROR: flags are not currently supported, io:%p

basename %s: %s

GetWindowsDirectoryW

HcL$0H

%s;%s;%.*s

%s %3s %-*s %-*s %8s %s %s

t$ AVH

w32_shutdown

dSOFTWARE\OpenSSH

?:kP<

system32\cmd

@SUVWATAUAVAWH

Error from vsnprintf_s!

\$ VWATAUAWH

HcD$<H

GetSystemDirectoryW

reget [-fPpRr] remote [local] Resume download file

select - ERROR: invalid fds: %d

f9,Yu

VS_VERSION_INFO

D8$+u

t=HcC

hA_A\^[

8&u#H

A:(uiI

nan(snan)

Failed to set console input code page from:%d to %d error:%d

open - ERROR: Unsupported flags: %d

[14;4~

A_A^_^]

A_A^A]_[]

DAEMON

+D$4A;G

.CRT$XCZ

select - ERROR: max #events breach

sma-SE

D$`H90

digit

write - ERROR:%d on prior unblocking write, io:%p

/x:/..

sv-SE

tHHcD$@H

nn-NO

D$$HcD$$H

w32_fchmod

LsaFreeMemory failed with ntstatus: %d

kernel32

__pascal

invalid certificate

WSARecv - WSARecv() ERROR: io:%p %d

bignum is negative

.CRT$XPA

SeBackupPrivilege

WaitForMultipleObjectsEx

.data

lt-lt

WSADuplicateSocketW

@VAVAWH

CRYPT32.dll

[15;8~

A_A^A]A\_^][

RtlUnwindEx

[25;4~

sma-se

en-tt

9D$h~3

No message of the desired type

SleepEx

api-ms-win-core-xstate-l2-1-0

mt-MT

KXHcS8

get_decode_stat

unknown error

tQHcD$0H

Size Used Avail (root) %%Capacity

Received statvfs reply T:%u I:%u

LOCAL5

CreateFileA

recv - ERROR: flags are not currently supported, io:%p

USVAVH

!,X< w

|$p@s

Read packet: %s

put [-afPpRr] local [remote] Upload file

80tWD

\$ UVWAVAWH

GetProcAddress

%4lld%c%s

PeekNamedPipe

[19;3~

ProductName

|$(A^

D+AHH

TlsGetValue

3>fvw

sr-sp-cyrl

string is too large

IsValidSecurityDescriptor return FALSE

select - ERROR: null fd_sets

fD97t

sftp>

w32_setsockopt

.idata$6

D$`E3

ExitProcess

Connection closed

listen - CreateEvent() ERROR:%d, io:%p

zh-sg

api-ms-win-core-heap-l1-1-0.dll

el-GR

fr-fr

kok-in

tr-TR

ALL VIRTUAL USERS

D$HE3

posix-rename@openssh.com

?QY^&

es-gt

HcD$D3

Unable to resume download of "%s": local file is larger than remote

Link has been severed

9D$@}4HcD$@H

te-IN

[21;6~

?UUUUUU

FileVersion

ssh.exe

HeapSize

ar-tn

f9l$Dt

w32_dup

Couldn't read packet: %s

fD9$Au

L$hH3

IsValidSecurityDescriptor

p AWH

!>6'Y

-oForwardAgent no

TlsAlloc

D$P9D$ }KHcD$ Hk

Server version does not support lstat operation

C(+C +K$

ar-JO

D$49D$0}fHcD$0H

finish_connect - ERROR: async io completed with error: %d, io:%p

HcD$@H

GetConsoleMode

ext-ms-

get_handle

t$ E3

Improper link

chown own path Change owner of file 'path' to 'own'

LogonUserExExW

FakeDomain

Permission denied

ar-KW

zh-cn

RoInitialize

Couldn't change local directory to "%s": %s

GetExitCodeProcess

generate_s4u_user_token

dup2: %s

D$PHc

UAVAWH

fD9\$pt

GetFullPathNameA

OpenSSH SSH client

operator ""

ReadConsoleOutputA

D$A:.

[14;7~

[15;7~

accept - ERROR:%d, io:%p

utf16_to_utf8 failed to convert lsa_auth_pkg_w:%ls

nn-no

Sent message %s "%s" -> "%s"

%d %04d-%02d-%02d %02d:%02d:%02d.%03d %s

A^A]A\

quz-EC

div-mv

do_symlink

en-za

`dynamic initializer for '

fB94ht

9^ t"H

truncating at %llu

Not a directory

__ptr64

xA_A^A]A\_^[]

ar-iq

no matching compression method found

strdup

Couldn't fsetstat: %s

H9D$ s{

BHcD$@H

[-D sftp_server_path] [-F ssh_config] [-i identity_file] [-l limit]

@UATAUH

t$ WATAWH

es-GT

domain name "%.100s" contains consecutive separators

Operation not supported on socket

@UVWATAUAVAWH

WSARecv - ERROR:%d, io:%p

|$\.u

fr-ca

D$0Hk

No child processes

Couldn't create local directory "%s": %s

EventRegister

Not a STREAM

D9%OU

es-PR

FakePasswd

DEBUG2

kk-KZ

Failed to open file:%S error:%d

ot$ H

D82u&H

/cygdrive/

Changing owner on %s

VERBOSE

Request range %llu -> %llu (%d/%d)

%s failed error:%d

Connection already in progress

de-LU

ms-my

HeapAlloc

A_A^A\_^

@SUAUAVH

SetConsoleTextAttribute

tt-ru

L$(L+

0A__^

Not running as SYSTEM: skipping loading user profile

SSH2_FXP_STATUS %u

es-PY

FlsFree

Received data %llu -> %llu

HcL$@H

api-ms-win-core-winrt-l1-1-0

ls [-1afhlnrSt] [path] Display remote directory listing

LsaSidNameMappingOperation_SidCollision

u&D9%

L$pH3

FreeEnvironmentStringsW

[17;3~

Is a directory

H3E H3E

en-AU

D$4Hk

lmkdir

hr-BA

LOCAL2

hi-IN

eLK(w

[-s subsystem | sftp_server] destination

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0.dll

August

0A]A\]

`vector destructor iterator'

progress

D$8H9D$Hu+

[13;7~

MM/dd/yy

.rsrc$02

CreateWaitableTimerW

console doesn't support the ansi parsing

remote readdir("%s")

[24;3~

"%s" has negative size

You must specify two paths after a %s command.

|$`H97

en-US

reput [-fPpRr] [local] remote Resume upload file

Failed to open dir "%s": %s

''''''''''''''''''''''''''''''''''

FindNextFileW

send - WSASend() ERROR:%d, io:%p

TlsSetValue

listen - Ioctl2 ERROR:%d, io:%p

WriteCB - ERROR: broken assumption, io:%p, wrote:%d, remaining:%d

LsaManageSidNameMapping failed with ntstatus: %d

|$ H=

?HcD$@H

FlsAlloc

FindClose

chown

es-ve

st_mode_to_file_att()

en-gb

L$HHc

fE90t

VWATAVAWH

[13;2~

UVWATAUH

uAiD$@

Resuming %s to %s

filesystem containing 'path'

api-ms-win-security-systemfunctions-l1-1-0

invalid certificate signing key

[20;3~

api-ms-win-core-sysinfo-l1-2-1

L$(H3

L(:A:

powershell

D8l$ht

GetCurrentProcessId

ky-kg

L$XH3

`default constructor closure'

ERROR: MAX_FDS limit reached

%s ERROR: bad fd: %d

Interrupted function call

Operation not permitted

%s: Successfully discovered explicit principal name: '%ls'=>'%ls'

es-PE

`vbase destructor'

agent not present

@8t(8}

LsaAddAccountRights

I9^ A

Command not implemented

Base Class Array'

D+d$8H

w32_fcntl

generate_sshd_virtual_token

pl-PL

[18;4~

listen - Ioctl1 ERROR:%d, io:%p

api-ms-win-core-file-l1-1-0.dll

CreateWaitableTimerA

9D$ }c

socketio_setsockopt

vi-VN

Invalid parameter in function: %ls. File: %ls Line: %d.

[13;3~

`placement delete closure'

Successfully set console output code page from:%d to %d

Can't change directory: Can't check target

ar-kw

WaitForSingleObjectEx

Received SSH2_FXP_STATUS %d

[18;8~

w32_lseek

ar-QA

HcD$(H

WriteConsoleW

U8D8;A

`vcall'

api-ms-win-core-io-l1-1-1.dll

tZHcD$@H

V6E>`"(5

GetConsoleScreenBufferInfo failed with %d

incorrect signature

4FM9'u

connectex - ERROR ConnectEx() :%d, io:%p

sspicli.dll

T$hD+

Unable to Print: Printer not assigned. Press any key to continue...

/HcD$@H

el-gr

@USWH

%s: LookupAccountName() failed: %d.

[13;4~

@USVWH

FakeUser

ms-BN

HcH<H

)H+}0

.CRT$XIZ

connectex - ERROR: unsuppored address family:%d, io:%p

quz-pe

Unrecognised server extension "%s"

[13;6~

chmod mode path Change permissions of file 'path' to 'mode'

FATAL

InitializeCriticalSectionEx

8[u.H

!This program cannot be run in DOS mode.

usage: %s [-46aCfpqrv] [-B buffer_size] [-b batchfile] [-c cipher]

Sent message hardlink@openssh.com "%s" -> "%s"

@A^_^

es-ar

debug3

Changing to: %s

fA9<Fu

L;5<M

api-ms-win-eventing-provider-l1-1-0.dll

;D$Ds

L$ I;

D$PH+

The socket is not connected

K~Je#>!

L$ H+

api-ms-win-core-kernel32-legacy-l1-1-1.dll

sftp.pdb

lumask

A^_^[]

D$h9D$ }

`eh vector destructor iterator'

USER32.dll

January

GetDateFormatEx

invalid format

L$&8\$&t-8Y

pipe - ERROR CreateFile() :%d

[20;2~

+f)>0'

-oClearAllForwardings yes

recv - ERROR: invalid arguments, buf:%p, len:%d, io:%p

zu-za

tDE3

api-ms-win-core-synch-l1-1-0.dll

Can't find request for ID %u

setsockop - ERROR: unsupported optname:%d io:%p

[17;4~

%lld.%1lld%c

Couldn't wait for ssh process: %s

yBNu'

D$ f;

8A^A]][

cwd is not currently within chroot

fD9!u

|$8@s

@L9D$`s

D$ HcD$ H

Couldn't statvfs: %s

w32_write

EnterCriticalSection

LOCAL6

f;D$2tC

es-NI

\$ E3

ConvertStringSecurityDescriptorToSecurityDescriptorW

wait_for_any_event() - ERROR max events reached

process_custom_lsa_auth

D$P I

%s: LsaLogonUser() failed. User '%ls' Status: 0x%08X SubStatus %d.

L$`H;

%s: ID mismatch (%u != %u)

%s - unable to generate user token for %s as i am not running as system

#HcD$HE3

t$0I;

%s: unable to open policy handle, error: %d

WriteFileEx

Timer expired

LookupAccountNameW

`typeof'

w32_settimes - SetFileTime ERROR:%d

graph

,I<%w

</requestedPrivileges>

uoHcD$$H

700WP

GetCurrentProcess

f9|$^t&f

cs-CZ

nl-be

9D$0}-

xf;={

LOCAL4

******

fa-IR

Couldn't read from remote file "%s" : %s

HcD$\H

d$ E3

advapi32.dll

lseek - ERROR, origin is not supported %d

__cdecl

D$@H+

fD9#u

LocalFree

[-o ssh_option] [-P port] [-R num_requests] [-S program]

u$HcD$0H

D$0HcD$0L

Connection refused

[25;2~

</assembly>

CryptBinaryToStringA

Sent message SSH2_FXP_SYMLINK "%s" -> "%s"

Domain error

A_A^_^][

smj-SE

r9D8v

Translation

(D$PH

A_A^A]A\_^]

en-cb

9D$@u

Server does not support hardlink@openssh.com extension

L$ VWAWH

ar-qa

FlsSetValue

mr-IN

se-NO

df [-hi] [path] Display statistics for current directory or

~ $s%r

TlsFree

alnum

it-IT

finish_connect - ERROR: setsockopt failed:%d, io:%p

D$`9D$$}

SeServiceLogonRight

delete[]

GetNamedSecurityInfoW

HcD$DHcL$DH

l$ WATAWH

no matching key exchange method found

failed to get final path of file with handle:%d error:%d

O:%sD:PAI(A;;FA;;;BA)(A;;FA;;;SY)%s%s

[24;2~

%s - ERROR:%d

L$ fff

uF9C0u<

[11;3~

.CRT$XIAC

No space left on device

zh-SG

L$0H;

D$49C

ProductVersion

FlushFileBuffers

domain name "%.100s" starts with invalid character

sv-FI

`managed vector constructor iterator'

symlink

.exe

tilde_expand_filename: No such user %s

%02d:%02d

I96t:H

[24;8~

gu-IN

rename

ShowWindow

IsValidSid

help Display this help text

.CRT$XIAA

pa-in

D$29D$h|

A_A^A\_^[]

Hc;9E0t

LsaClose

es-ni

exec_command_with_pty

Too many open files

t$(I;

out of memory

api-ms-win-core-processthreads-l1-1-2

H9D$(

HcD$XH

[18;6~

agent refused operation

ta-in

D$0E3

quz-BO

fA;8utI

invalid argument

.idata$2

w32_accept

?[u+H

x AVH

api-ms-win-core-debug-l1-1-0.dll

@SVAVH

[14;2~

;D$Tu

L$(H+

H95YL

unable to alloc memory

|$PE3

L$dE3

[18;7~

acceptEx - socket() ERROR:%d, io:%p

pl-pl

t$`H;

LceoA

u$HcD$ H

%s - failed to execute %ls, error:%d

Got multiple names (%d) from SSH_FXP_REALPATH

@UAVAWH

ns-ZA

%s: %s

fC9<hu

H!D$ E

.xdata

D$$9D$ s

QUIET

8*u;I

api-ms-win-core-synch-l1-2-0

az-az-latn

\$HfA

actual_read %d exceeds the limit:%d

zh-CHS

api-ms-win-core-namedpipe-l1-1-0.dll

en-bz

Expected SSH2_FXP_DATA(%u) packet, got %u

de-at

Couldn't link file "%s" to "%s": %s

api-ms-win-core-fibers-l1-1-1

"f9;t

kE>fvw

D8d$Xt

TUUUU

GetModuleHandleExW

LsaSidNameMappingOperation_NameCollision

WriteThread thread - ERROR QueueUserAPC failed %d, io:%p

[21;2~

L$xHc

api-ms-win-core-localization-obsolete-l1-2-0

t&D8d$@t

fr-CH

rmdir path Remove remote directory

unable to know if I am running as system

could not read protocol version

GetLocalTime

es-UY

se-SE

SetFilePointerEx

es-CO

End of file

chgrp

[18;3~

GetWindowPlacement

t$ WATAUAVAWH

GetLastError

[19;4~

@USVWATAUAVAWH

DEBUG3

\$@H;

ar-IQ

w32_fstat

Sending SSH2_FXP_READDIR I:%u

zh-chs

EventWrite

[12;3~

fffffff

Read-only file system

invalid elliptic curve value

failed to duplicate %s

es-VE

SetConsoleMode

p WATAUAVAWH

mkdir %s: %s

empty domain name

AllocateLocallyUniqueId failed, error:%d

AUAVAWH

D$ HcD$@H

LSA auth request, user:%s lsa_pkg:%s

get_status

bad permissions

Couldn't remove directory: %s

socketio_shutdown

createFile_flags_setup() failed.

api-ms-win-security-lsalookup-l2-1-0.dll

api-ms-win-security-sddl-l1-1-0.dll

mr-in

zh-cht

D$P9D$0

read - no more data, io:%p

zh-tw

es-MX

pt-br

mkdir

w32_getsockopt

CancelIoEx

invalid elliptic curve

pA_A^A]A\_^]

fcntl - SetHandleInformation failed with error:%d, io:%p

fA9<^u

%7sB %7sB %7sB %7sB %s

api-ms-win-core-timezone-l1-1-0.dll

NAN(SNAN)

%s: Expected SSH2_FXP_HANDLE(%u) packet, got %u

AllocateAndInitializeSid failed with group SID

ur-pk

%s - unable to generate token for user %ls

Couldn't delete file: %s

bn-IN

sr-BA-Latn

A_A^A]A\]

v2!L.2

f9,~u

es-ec

CancelWaitableTimer

CopySid

D$H9D$

ml-in

`.rdata

[13;8~

fatal

ar-BH

gfffL

RegCloseKey

GetFileAttributesExW

c28fc6f98a2c44abbbd89d6a3037d0d9_POSIX_CHROOT

f9<iu

fo-fo

|$ UATAUAVAWH

@USVATAUH

rmdir

de-LI

fD9'u

Missing hostname

lchdir

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x00024150	0x00061367	0x00061367	6.0	sftp.pdb	2018-07-31 19:25:29	f439e59d3bd1d28d6abd4ccfcbd7aeb9

Version Infos

FileVersion	7.7.2.1
ProductName	OpenSSH for Windows
ProductVersion	OpenSSH_7.7p1 for Windows
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x000443b0	0x00044400	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.33
.rdata	0x00044800	0x00046000	0x0001168c	0x00011800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.36
.data	0x00056000	0x00058000	0x0000b824	0x00005400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.80
.pdata	0x0005b400	0x00064000	0x00003240	0x00003400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.51
.rsrc	0x0005e800	0x00068000	0x000003d0	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.26
.reloc	0x0005ec00	0x00069000	0x000007f8	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.40

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_VERSION	0x000680a0	0x000001ac	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.35	None
RT_MANIFEST	0x00068250	0x0000017d	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.91	None

Imports

Name	Address
GetTickCount64	0x1400465c8
GetSystemTimeAsFileTime	0x1400465d0
GetWindowsDirectoryW	0x1400465d8
GetSystemDirectoryW	0x1400465e0
GetSystemDirectoryA	0x1400465e8
GetLocalTime	0x1400465f0

Name	Address
GetConsoleCP	0x140046098
ReadConsoleW	0x1400460a0
ReadConsoleInputW	0x1400460a8
WriteConsoleW	0x1400460b0
SetConsoleMode	0x1400460b8
SetConsoleCtrlHandler	0x1400460c0
GetConsoleMode	0x1400460c8

Name	Address
IsDebuggerPresent	0x140046158
DebugBreak	0x140046160

Name	Address
ResetEvent	0x140046548
SetEvent	0x140046550
SetWaitableTimer	0x140046558
CreateEventA	0x140046560
WaitForMultipleObjectsEx	0x140046568
WaitForSingleObjectEx	0x140046570
SleepEx	0x140046578
InitializeCriticalSectionAndSpinCount	0x140046580
DeleteCriticalSection	0x140046588
LeaveCriticalSection	0x140046590
EnterCriticalSection	0x140046598
WaitForSingleObject	0x1400465a0
CancelWaitableTimer	0x1400465a8

Name	Address
QueueUserAPC	0x140046408
CreateThread	0x140046410
ExitThread	0x140046418
OpenProcessToken	0x140046420
GetCurrentProcess	0x140046428
TerminateThread	0x140046430
GetCurrentProcessId	0x140046438
CreateProcessAsUserW	0x140046440
TerminateProcess	0x140046448
GetCurrentThreadId	0x140046450
ExitProcess	0x140046458
OpenThread	0x140046460
TlsFree	0x140046468
TlsSetValue	0x140046470
TlsGetValue	0x140046478
GetStartupInfoW	0x140046480
CreateProcessW	0x140046488
TlsAlloc	0x140046490
GetExitCodeProcess	0x140046498

Name	Address
SetUnhandledExceptionFilter	0x140046170
UnhandledExceptionFilter	0x140046178
GetLastError	0x140046180
RaiseException	0x140046188
SetLastError	0x140046190

Name	Address
CreateWaitableTimerA	0x140046538

Name	Address
GetStdHandle	0x1400463a8
ExpandEnvironmentStringsW	0x1400463b0
SetCurrentDirectoryW	0x1400463b8
SetEnvironmentVariableW	0x1400463c0
SetEnvironmentVariableA	0x1400463c8
FreeEnvironmentStringsW	0x1400463d0
SetStdHandle	0x1400463d8
GetCommandLineA	0x1400463e0
GetCommandLineW	0x1400463e8
GetEnvironmentStringsW	0x1400463f0
GetCurrentDirectoryW	0x1400463f8

Name	Address
FindClose	0x1400461a0
GetFileAttributesExW	0x1400461a8
SetFileAttributesW	0x1400461b0
GetFullPathNameA	0x1400461b8
GetFullPathNameW	0x1400461c0
FindFirstFileExW	0x1400461c8
FindNextFileW	0x1400461d0
GetLogicalDriveStringsW	0x1400461d8
GetDriveTypeW	0x1400461e0
GetDiskFreeSpaceExW	0x1400461e8
ReadFile	0x1400461f0
WriteFile	0x1400461f8
CreateDirectoryW	0x140046200
CreateFileW	0x140046208
FlushFileBuffers	0x140046210
GetFileType	0x140046218
CreateFileA	0x140046220
GetFinalPathNameByHandleW	0x140046228
ReadFileEx	0x140046230
SetFilePointerEx	0x140046238
SetEndOfFile	0x140046240
WriteFileEx	0x140046248
SetFileTime	0x140046250
GetFileInformationByHandle	0x140046258

Name	Address
SetHandleInformation	0x140046268
DuplicateHandle	0x140046270
CloseHandle	0x140046278

Name	Address
CryptBinaryToStringA	0x140046000
CryptStringToBinaryA	0x140046008

Name	Address
WSAStartup	0x140046038
WSAGetOverlappedResult	0x140046040
setsockopt	0x140046048
getsockname	0x140046050
closesocket	0x140046058
WSAGetLastError	0x140046060
WSADuplicateSocketW	0x140046068
WSASocketW	0x140046070
socket	0x140046078
WSARecv	0x140046080
WSASend	0x140046088

Name	Address
CreateWaitableTimerW	0x1400465b8

Name	Address
GetProcAddress	0x140046328
FreeLibrary	0x140046330
LoadLibraryExW	0x140046338
GetModuleHandleExW	0x140046340
GetModuleHandleW	0x140046348
FreeLibraryAndExitThread	0x140046350
GetModuleFileNameW	0x140046358

Name	Address
IsValidAcl	0x140046658
IsValidSecurityDescriptor	0x140046660
CopySid	0x140046668
GetAce	0x140046670
IsValidSid	0x140046678
GetLengthSid	0x140046680
IsWellKnownSid	0x140046688
GetTokenInformation	0x140046690

Name	Address
LocalFree	0x1400462b8

Name	Address
LookupAccountSidW	0x1400466a0
LookupAccountNameW	0x1400466a8

Name	Address
GetConsoleCursorInfo	0x1400460d8
SetConsoleScreenBufferSize	0x1400460e0
FillConsoleOutputAttribute	0x1400460e8
GetConsoleScreenBufferInfo	0x1400460f0
ReadConsoleOutputA	0x1400460f8
FillConsoleOutputCharacterA	0x140046100
WriteConsoleOutputA	0x140046108
SetConsoleTextAttribute	0x140046110
SetConsoleWindowInfo	0x140046118
ScrollConsoleScreenBufferA	0x140046120
SetConsoleCursorInfo	0x140046128
SetConsoleCursorPosition	0x140046130

Name	Address
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x1400466c8
ConvertSidToStringSidW	0x1400466d0

Name	Address
GetNamedSecurityInfoW	0x1400466b8

Name	Address
CreateNamedPipeA	0x140046300
GetComputerNameW	0x140046308

Name	Address
RegQueryValueExW	0x1400464c8
RegCloseKey	0x1400464d0
RegOpenKeyExW	0x1400464d8

Name	Address
WideCharToMultiByte	0x140046510
GetStringTypeW	0x140046518
MultiByteToWideChar	0x140046520
CompareStringW	0x140046528

Name	Address
Beep	0x140046630

Name	Address
VerSetConditionMask	0x140046600

Name	Address
VerifyVersionInfoW	0x140046318

Name	Address
DeviceIoControl	0x1400462d8
CancelIoEx	0x1400462e0

Name	Address
CancelIo	0x1400462f0

Name	Address
GetOEMCP	0x140046368
IsValidCodePage	0x140046370
LCMapStringW	0x140046378
GetCPInfo	0x140046380
GetACP	0x140046388

Name	Address
ShowWindow	0x140046018
GetWindowPlacement	0x140046020
FindWindowA	0x140046028

Name	Address
RtlLookupFunctionEntry	0x1400464e8
RtlCaptureContext	0x1400464f0
RtlUnwindEx	0x1400464f8
RtlVirtualUnwind	0x140046500

Name	Address
IsProcessorFeaturePresent	0x1400464a8

Name	Address
QueryPerformanceCounter	0x1400464b8

Name	Address
InitializeSListHead	0x1400462c8

Name	Address
SystemTimeToTzSpecificLocalTime	0x140046610
FileTimeToSystemTime	0x140046618
GetTimeZoneInformation	0x140046620

Name	Address
PeekNamedPipe	0x140046398

Name	Address
HeapReAlloc	0x140046288
HeapAlloc	0x140046290
GetProcessHeap	0x140046298
HeapSize	0x1400462a0
HeapFree	0x1400462a8

Name	Address
GetTimeFormatW	0x140046140
GetDateFormatW	0x140046148

Name	Address
EventWrite	0x140046640
EventRegister	0x140046648

Reports: JSON

Statistics (10.87)

Usage

Processing ( 10.81 seconds )

10.158 ProcessMemory
0.631 CAPE
0.009 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 ursnif_behavior
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.005 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: sftp.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 832 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

\??\NUL

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

Full Results

PE Information

Version Infos

Sections

Resources

Imports

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-synch-ansi-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-handle-l1-1-0

CRYPT32

WS2_32

api-ms-win-core-synch-l1-2-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-console-l2-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-security-provider-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-io-l1-1-0

api-ms-win-core-io-l1-1-1

api-ms-win-core-localization-l1-2-0

USER32

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-namedpipe-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-eventing-provider-l1-1-0