Windows Analysis Report
SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Overview

General Information

Sample name:	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe
Analysis ID:	1437706
MD5:	f886615860dbbcd3fe966cf1c79203f9
SHA1:	cdcce183c817b5a291dd2a3d6ef6dca93ce3f01d
SHA256:	5a0ae314a3ccfcd8e2a77585fb96f650574aac0d5dcb48a85f2f4e0be698845f
Tags:	exe
Infos:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly

Creates a process in suspended mode (likely to inject code)

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Classification

Signatures

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://api.ngrok.comhttps://ngrok.com/tosin
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/api
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/api/keys)API
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/api/keys.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscription
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscription-----BEGIN
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscription0001020304050607080910111213141516171819202122232425
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionA
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionAn
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionCPU
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionCreate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionCreates
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionEmpty
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionEndpoints
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionGenerate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionHTTP/1.1
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionID
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionIf
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionInvalid
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionOnly
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionSSH
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionThis
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionYou
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionYour
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptiona
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionif
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptiontls:
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionunable
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenCertificate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenStatusNormalClosureStatusGoingAwayStatusProtoc
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenTunnel
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenUpdates
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenduplicate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenthe
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/security/ip-restrictionsThe
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/signup
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/tunnels/ssh-keys
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/tunnels/ssh-keysa
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dns.google.com/resolve?https://update.equinox.io/checkillegal
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)the
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://github.com/spf13/cobra/issues/1279
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://github.com/spf13/cobra/issues/1508
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/a...Abuse
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/api#authentication)ngrok
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/api#tls-certificates-pem)Certificate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/cloud-edge#compatible-clientsYour
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ngrok.com/docs/errors/err_ngrok_8012
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/ngrok-link#service-api-content-typeOnly
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/ngrok-link#tls-certificates-key)Private
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/tos
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://status.ngrok.com/
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000F6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C000246000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000EE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C000224000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2134733558.000000C000320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C000112000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000F6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000EE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2134733558.000000C000320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-K3RD62G
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000EA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ngrok.com

Source: classification engine

Classification label: sus22.winEXE@6/2@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4784:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	File opened: C:\Windows\system32\284e2d521e76f96e45b73009c145aae39fcc3a980f27ffa0f86c0e7e5b4b42caAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	File opened: C:\Windows\system32\dce5f5269411649a8ed9ec22e2ad213daf3ca6d125e074d57e947b42a22bee83AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: _DATERANGE_GTSVECTOR_INT4RANGE_INT8RANGE_OIDVECTOR_REFCURSOR_REGCONFIG_TIMESTAMP_TINTERVAL_TSTZRANGE__complete_timestamp_tstzrangearg %d: %watomicand8audio/aiffaudio/midiaudio/mpegaudio/waveavx512bf16avx512gfniavx512ifmaavx512vaesavx512vbmiavx512vnnibackgroundbackprime;backsimeq;bad varintbasic-authbasic_authbigotimes;bytes */%dcenterdot;checkmark;cidr-allowcompletioncomplex128complexes;connectingconnectioncontentioncreatetempdebug calldecode: %sdefinitiondependencydeprecateddns: <nil>dnsapi.dlldotsquare;downarrow;error.htmlexitThreadexp masterextensionsfloat32nanfloat64nanfont/woff2formactionformmethodformtargetgetsockoptgo_packagegoogle.comgoroutine grpc.Recv.grpc.Sent.gtrapprox;gtreqless;gvertneqq;heapgrowthheartsuit;http-equivhttp-proxyhttp_proxyimage/avifimage/jpegimage/webpimpossibleinput_typeinstanceofint32Sliceint64Sliceinvalid IPinvalidptrkeep-alivekrbsrvnamelatency_msleftarrow;lesseqgtr;local-addrlog-formatlvertneqq;mSpanInUsematch-typemediagroupmodule.addmultipart-ngeqslant;nleqslant;notifyListnovalidatenparallel;nshortmid;nsubseteq;nsupseteq;oidc-scopeoneof_declowner diedpick_firstpitchfork;powershellpprof_addrprincipalspublic-keyradiogrouprationals;res binderres masterresumptionroundrobinrune <nil>runtime: gs.state = schedtracesemacquireset-cookiesetsockoptshort readsocks bindspadesuit;spellchecksslRequeststackLargestream endsubseteqq;subsetneq;supseteqq;supsetneq;t.Kind == tc_pvalloctc_reallocterminatedtherefore;ticks.locktracefree(tracegc()
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: parse errorpassthroughpb.db_codecplaceholderpostgres://precapprox;proxy-protopurge entryraw-controlread %q: %wreflect.SetreflectOffsremote-addrretry-afterrightarrow;rmoustache;round_robinruntime: P runtime: p runtime\..*scheddetailsechost.dllsecur32.dllserver_addrshell32.dllshort writesqsubseteq;sqsupseteq;sslrootcertstack tracestatus-codestream_idlestringArraystringSlicestringToIntsubsetneqq;succapprox;supsetneqq;tc_memaligntc_newarraytime: file timestamptztls: alert(tracealloc(traffic updtransparentunreachableupuparrows;userenv.dllvalid-aftervalid-untilvarepsilon;varnothing;version.dllwsarecvfromyYnNtTfFoO~ (sensitive) B (
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: .WithDeadline(.in-addr.arpa./abuse_reports/anon_hugepage/requests/http/tunnels/:name01-02\|15:04:05127.0.0.1:4040190734863281252006010215040595367431640625: extra text: :[^/#?()\.\\]+<not Stringer>> :path: [%s]
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: [0m=%s_REGDICTIONARY_TXID_SNAPSHOTaccept-charsetadmin_shutdownallocfreetracebad allocCountbad record MACbad restart PCbad span statebigtriangleup;blacktriangle;body_write_errbuffer is fullbytes %d-%d/%dcannot scan %Tcase_not_foundcertificate-idcommand failedcontent-lengthcrash_shutdowndata truncateddata_corrupteddata_exceptiondeflate decodedivideontimes;document startduplicate_fileelliptic-curveencode requestfailed to authfallingdotseq;fdw_no_schemasfile too largefinalizer waitfirst_settingsformnovalidategcstoptheworldgetprotobynamegrouping_errorgrpc-trace-binhelp [command]hookleftarrow;http_proxy_envint4multirangeint8multirangeinternal errorinternal_errorinvalid Prefixinvalid kind: invalid methodinvalid statusinvalid syntaxis a directorykey size wrongleftarrowtail;leftharpoonup;len of type %slevel 2 haltedlevel 3 haltedlongleftarrow;looparrowleft;measuredangle;memory storagemessage is nilmodule.enabledmutual-tls-casneed more datangrok-diagnosenil elem type!no module datano such deviceno such regionnot an ip:portntriangleleft;oidc-client-idoidc.client-idpb.dash_unsafepb.enum_prefixping_on_streampollCache.lockpostgresql.crtpostgresql.keyprefix length protobuf errorprotobuf_oneofprotocol errorquery_canceledread mem statsread_frame_eofrequested stopreserved-addrsreserved_rangeruntime: full=runtime\.panics.allocCount= semaRoot queuesequence startsession closedshortparallel;show_sensitivesignal handlersmallsetminus;stack overflowstarted tunnelstopm spinningstore64 failedstringToStringsync.Cond.Waittc_deletearraytc_new_nothrowtext file busytoo many linkstoo many userstrailers_bogustriangleright;trimRightSpaceundefined_fileunexpected EOFunknown code: unknown error unknown methodunknown mode: unknown node: unreachable: unsafe.Pointerupdate appliedupdate_channelupharpoonleft;varsubsetneqq;varsupsetneqq;verify-webhookwinapi error #work.full != 0zero parameter with GC prog
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Operation ID: %sambiguous_functionappendIfNotPresentapplication/x-gzipbackend.backend-idbad Content-Lengthbad authenticationbad extended rcodebad lfnode addressbad manualFreeListbad resolver stateblacktriangledown;blacktriangleleft;bufio: buffer fullcannot_connect_nowcleantimers: bad pcollation_mismatchconnection is idleconnection refusedconnection_failurecontext.Backgrounddecoding error: %vdelete-certificatedeprecated_featuredetect init systemduplicate name: %qduplicate_databaseduplicate_functionelem align too bigempty Huffman treeevent-destinationsexceeded max depthexpected element <export restrictionextra_float_digitsfailed to ping: %wfailed to read: %wfaketimeState.lockfdw_invalid_handlefile name too longflag %q contains =flag redefined: %sforEachP: not doneframe_goaway_shortgarbage collectionhalf join completeheartbeat receivedhttp: no such fileidentifier removedin numeric literalindex out of rangeindicator_overflowinput/output errorinvalid IP addressinvalid XML name: invalid character invalid config: %vinvalid hex formatinvalid length: %dinvalid length: %vkerberos error: %sleftrightharpoons;len of nil pointerless than a minutelock_not_availablemalloc_zone_callocmalloc_zone_mallocmalloc_zone_vallocmodule.force-authnmodule.min-versionmodule.num-bucketsmultihop attemptedmutual-tls.enablednegative bit indexnegative_int_valuenetip.ParsePrefix(ngrok-api-client/0no child processesno locks availableno secrets definedno signature foundnon-minimal lengthnot_null_violationoauth-allow-domainoidc app client idoidc-client-secretoidc.client-secretoidc.cookie-prefixoperation canceledoverflow packing apermessage-deflateport not a number?positive_int_valueprivate-key-formatprotocol_violationproxy-authenticateread timed out: %wreceived from peerreflect.Value.Callreflect.Value.Elemreflect.Value.Sendreflect.Value.Typereflect.Value.Uintreflect: Zero(nil)request-header-addrestrict_violationrightleftharpoons;runtime.semacreateruntime.semawakeupruntime: npages = runtime: range = {runtime: textAddr saml.cookie-prefixsaml.nameid-formatsegmentation faultsequence truncatedsilence-semicolonsstart a TCP tunnelstart a TLS tunnelstarting componentstatic/favicon.icostreams pipe errorsystem page size (tag:yaml.org,2002:termbox.EventErrortext/javascript1.0text/javascript1.1text/javascript1.2text/javascript1.3text/javascript1.4text/javascript1.5the stream is donetoo_many_argumentstracebackancestorstrailers_not_endedtruncated sequencetwoheadrightarrow;unable to parse IPundefined_functionunexpected messageunexpected newlineunexpected type %Tunknown error: %#vunknown flag: --%sunknown service %vunknown time zone update in progressuse of closed fileuse tcp keep-alivevalue out of rangewaiting for update commands+=(%q)
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: panic holding lockspanicwrap: no ( in panicwrap: no ) in parsing profile: %vpb.cli_pretty_printpb/extensions.protoproxy-authorizationpy_generic_servicesrange too short: %vreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Slicerequest body closedrequest-headers.addresponding with 502response-header-addrevoked certificatersa: internal errorruntime: g0 stack [runtime: pcdata is runtime: preempt g0runtime\.call[0-9]*sampling period=%d
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: after top-level valuearray_subscript_errorasync stack too largeat range loop break: bad magic value foundbad number syntax: %qbad type in compare: block device requiredbuffer size too smallbufio: negative countcannot marshal type: cannot put %d into %Tcardinality_violationcheckdead: runnable gcommand not supportedconcurrent map writesdecompression failuredefer on system stackdiagnostics_exceptionexec: already startedexpected DOCUMENT-ENDexpected STREAM-STARTfailed to deserializefdw_invalid_data_typefeature not supportedfeature_not_supportedfindrunnable: wrong pflag %q begins with -flow control violatedforeign_key_violationframe_ping_has_streamgoogle.protobuf.Valuehttp: Handler timeouthttp: invalid patternhttp: nil Request.URLhttps-edge-mutual-tlshttps-edge-route-oidchttps-edge-route-samlhttps://api.ngrok.comhttps://ngrok.com/tosin string escape codeinternal server errorinvalid NumericStringinvalid emitter stateinvalid named captureinvalid nil Timestampinvalid scalar lengthinvalid stream id: %djava_generic_serviceskey is not comparablelink has been severedlistening on %s (%s)
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Press return to continue...ReservedAddrUnavailableCodeRun '%v --help' for usage.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Press return to continue...ReservedAddrUnavailableCodeRun '%v --help' for usage.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: .lib section in a.out corrupted/edges/tls/{{ .ID }}/mutual_tls/tunnel_sessions/{{ .ID }}/stop11368683772161602973937988281252006-1-2T15:4:5.999999999Z07:002006-1-2t15:4:5.999999999Z07:005684341886080801486968994140625APIRequestRateLimitExceededCodeAccount name must not be empty.BackendStaticAddressInvalidCodeBackendStaticAddressMissingCodeBillingAddressInvalidLengthCodeBillingEmailDeleteProtectedCodeBindACLForbidsRandomAddressCodeBindAgentDuplicateAddHeaderCodeBindConfigDisallowsIPPolicyCodeBindDomainBadPunycodePrefixCodeBindLabeledTunnelNotAllowedCodeBindTunnelRateLimitExceededCodeCLIENT_HANDSHAKE_TRAFFIC_SECRETCentral Brazilian Standard TimeCertDuplicateCertificateContextCertsSSHCAPublicKeyRequiredCodeCertsSSHCARateLimitExceededCodeDashClientNoChangesToSubmitCodeDashUserBelongsToNoAccountsCodeDuration value not an int64: %TEdgeHeaderKeyLengthExceededCodeEdgeHeaderValLengthExceededCodeEdgeOAuthEmailDomainTooLongCodeEdgeOAuthExactlyOneProviderCodeEdgeOAuthGoogleGroupTooLongCodeEdgeOAuthInvalidEmailDomainCodeEdgeOIDCCheckIntervalTooLowCodeEdgeOIDCClientSecretTooLongCodeEdgeOIDCCookiePrefixTooLongCodeEdgeSAMLIdPMetadataRequiredCodeEventDestinationMissingAuthCodeEventDestinationTooMuchAuthCodeEventSubscriptionNotAllowedCodeFeatureRequestLengthInvalidCodeMembershipsCreateDisallowedCodeMembershipsRemoveDisallowedCodeMountain Standard Time (Mexico)Mozilla/5.0 (compatible; ngrok)MwCompileBackendAddrInvalidCodeMwCompileHTTPMuxPathTooLongCodeMwCompileHandlerTypeInvalidCodeMwCompileIPFilterNoIPPolicyCodeMwRuntimeHTTPBackendTimeoutCodeMwRuntimeNoBackendAvailableCodeNetwork Authentication RequiredNgrok Connectivity - Region: %sPRIORITY frame with stream ID 0Public key is missing or empty.Request Header Fields Too LargeRequested Range Not SatisfiableReservedAddrDescrCharsLimitCodeReservedCustomExistingCNAMECodeReservedDomainCNAMENotFoundCodeReservedDomainInvalidPrefixCodeReservedDomainInvalidRegionCodeReservedDomainInvalidSuffixCodeReservedDomainWildcardLimitCodeResolver state updated: %s (%v)SERVER_HANDSHAKE_TRAFFIC_SECRETSSHTunnelNoMultipleForwardsCodeSSHTunnelPortForwardTimeoutCodeSSHTunnelPublicKeysNotFoundCodeSSHTunnelUpdateNotSupportedCodeSetupDiGetDeviceInfoListDetailWShellCompDirectiveFilterFileExtTLS: sequence number wraparoundTLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384TunnelV2RestartNotSupportedCodeUsersDeleteBannedDisallowedCodeValid configuration file at %s
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: .lib section in a.out corrupted/edges/tls/{{ .ID }}/mutual_tls/tunnel_sessions/{{ .ID }}/stop11368683772161602973937988281252006-1-2T15:4:5.999999999Z07:002006-1-2t15:4:5.999999999Z07:005684341886080801486968994140625APIRequestRateLimitExceededCodeAccount name must not be empty.BackendStaticAddressInvalidCodeBackendStaticAddressMissingCodeBillingAddressInvalidLengthCodeBillingEmailDeleteProtectedCodeBindACLForbidsRandomAddressCodeBindAgentDuplicateAddHeaderCodeBindConfigDisallowsIPPolicyCodeBindDomainBadPunycodePrefixCodeBindLabeledTunnelNotAllowedCodeBindTunnelRateLimitExceededCodeCLIENT_HANDSHAKE_TRAFFIC_SECRETCentral Brazilian Standard TimeCertDuplicateCertificateContextCertsSSHCAPublicKeyRequiredCodeCertsSSHCARateLimitExceededCodeDashClientNoChangesToSubmitCodeDashUserBelongsToNoAccountsCodeDuration value not an int64: %TEdgeHeaderKeyLengthExceededCodeEdgeHeaderValLengthExceededCodeEdgeOAuthEmailDomainTooLongCodeEdgeOAuthExactlyOneProviderCodeEdgeOAuthGoogleGroupTooLongCodeEdgeOAuthInvalidEmailDomainCodeEdgeOIDCCheckIntervalTooLowCodeEdgeOIDCClientSecretTooLongCodeEdgeOIDCCookiePrefixTooLongCodeEdgeSAMLIdPMetadataRequiredCodeEventDestinationMissingAuthCodeEventDestinationTooMuchAuthCodeEventSubscriptionNotAllowedCodeFeatureRequestLengthInvalidCodeMembershipsCreateDisallowedCodeMembershipsRemoveDisallowedCodeMountain Standard Time (Mexico)Mozilla/5.0 (compatible; ngrok)MwCompileBackendAddrInvalidCodeMwCompileHTTPMuxPathTooLongCodeMwCompileHandlerTypeInvalidCodeMwCompileIPFilterNoIPPolicyCodeMwRuntimeHTTPBackendTimeoutCodeMwRuntimeNoBackendAvailableCodeNetwork Authentication RequiredNgrok Connectivity - Region: %sPRIORITY frame with stream ID 0Public key is missing or empty.Request Header Fields Too LargeRequested Range Not SatisfiableReservedAddrDescrCharsLimitCodeReservedCustomExistingCNAMECodeReservedDomainCNAMENotFoundCodeReservedDomainInvalidPrefixCodeReservedDomainInvalidRegionCodeReservedDomainInvalidSuffixCodeReservedDomainWildcardLimitCodeResolver state updated: %s (%v)SERVER_HANDSHAKE_TRAFFIC_SECRETSSHTunnelNoMultipleForwardsCodeSSHTunnelPortForwardTimeoutCodeSSHTunnelPublicKeysNotFoundCodeSSHTunnelUpdateNotSupportedCodeSetupDiGetDeviceInfoListDetailWShellCompDirectiveFilterFileExtTLS: sequence number wraparoundTLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384TunnelV2RestartNotSupportedCodeUsersDeleteBannedDisallowedCodeValid configuration file at %s
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: ; EDNS: version asn1: Unmarshal recipient value is nil bad value in StructValue for key %q: %vbuild line missing '=' after quoted keycan't unmarshal Any nested proto %v: %vcannot assign all values from BoolArraycannot assign all values from CIDRArraycannot assign all values from DateArraycannot assign all values from InetArraycannot assign all values from Int2Arraycannot assign all values from Int4Arraycannot assign all values from Int8Arraycannot assign all values from TextArraycannot assign all values from UUIDArraycannot convert all values to ByteaArraycannot convert all values to JSONBArraycannot decode node with unknown kind %dcannot encode node with unknown kind %dcannot marshal invalid UTF-8 data as %scertificate-management-policy.authoritychain is not signed by an acceptable CAcipher: incorrect tag size given to GCMcobra_annotation_bash_completion_customcobra_annotation_required_if_others_setcomment length insufficient for parsingconfigured to dial out via SOCKS5 Proxycould not establish any TCP connectionscould not establish any TLS connectionscrypto/rsa: invalid options for Decryptcsv: invalid field or comment delimiterdid not find expected hexdecimal numberdns: TXT record %v missing %v attributedriver.Valuer Value() method failed: %wexpected space in input to match formatextraneous or missing " in quoted-fieldfailed to deserialize request parameterfailed to fetch http entries from storefailed to parse filepath pattern %q: %wfailed to write postgres handshake bytefdw_inconsistent_descriptor_informationfdw_invalid_descriptor_field_identifierfound an incorrect trailing UTF-8 octetgoogle.golang.org/genproto/protobuf/apigoogle.golang.org/protobuf/types/known/heapBitsSetTypeGCProg: small allocationhttp: putIdleConn: keep alives disabledinvalid indexed representation index %dinvalid value: merging into nil messageinvalid_argument_for_nth_value_functionmartini handler must be a callable funcmath/big: buffer too small to fit valuemismatched count during itab table copymismatched message type: got %q want %qmissing argument to repetition operatormissing verb: % at end of format stringmodule.provider.microsoft.client-secretmodule.provider.microsoft.email-domainsmspan.sweep: bad span state after sweepmultipart: can't write to finished partnegative minwidth, tabwidth, or paddingngrok is not yet ready to start tunnelsno mutually supported protocol versionsoauth.provider.facebook.email-addressesout of memory allocating heap arena mappq: only text format supported for COPYprevious message not read to completionprints author and licensing informationproxyproto: can't read version 1 headerreflect.MakeMapWithSize of non-map typeresolver returned an empty address listruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=runtime: duplicatehandle failed; errno=session closed, starting reconnect loopsigns of seconds and nanos do not matchstack growth not allowed in system callstatic/assets/82b1212e45a2bc35dd73.woffstatic/css/app.6adde
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: ngrok is a command line application, try typing 'ngrok.exe http 80'big: invalid 2nd argument to Int.Jacobi: need odd integer but got %scan not look up shorthand which is more than one ASCII character: %qcannot assign %v, needed to assign %d elements, but only assigned %dconfig contains tab characters, YAML must use spaces for indentationcrypto/hmac: hash generation function does not produce unique valuesembedded IPv4 address must replace the final 2 fields of the addressexpected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vextension %v does not implement protoreflect.ExtensionTypeDescriptorheap profile: (\d+): (\d+) \[ (\d+): (\d+) \] @ fragmentationzhttp2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qinvalid proto.Message(%T) type, expected a protoreflect.Message typeinvalid retry throttling config: tokenRatio (%v) may not be negativengrok gateway timeout
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: ngrok tcp --remote-addr=1.tcp.ngrok.io:27210 3389The time when this host certificate becomes invalid, in RFC 3339 format. If unspecified, a default value of 24 hours will be used. The OpenSSH certificates RFC calls this valid_before.Only Enterprise plans can use tunnel ACL rules.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Install your authoken: https://dashboard.ngrok.com/get-started/your-authtokenduplicate registration of %q
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenthe list of principals included in the ssh host certificate. This is the list of hostnames and/or IP addresses that are authorized to serve SSH traffic with this certificate. Dangerously, if no principals are specified, this certificate is considered valid for all hosts.Labeled tunnels are only available after you sign up.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenTunnel Credentials are ngrok agent authtokens. They authorize the ngrok
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenUpdates a TCP Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates a TLS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates an HTTPS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Defines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizing the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See (https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)the OpenSSH certificate protocol spec for additional details.Forwarding to a local file:/// URL is only available after you sign up.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenUpdates a TCP Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates a TLS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates an HTTPS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Defines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizing the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See (https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)the OpenSSH certificate protocol spec for additional details.Forwarding to a local file:/// URL is only available after you sign up.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenUpdates an HTTPS Edge Route by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorIf true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.API Keys are used to authenticate to the (https://ngrok.com/docs/api#authentication)ngrok
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenStatusNormalClosureStatusGoingAwayStatusProtocolErrorStatusUnsupportedDatastatusReservedStatusNoStatusRcvdStatusAbnormalClosureStatusInvalidFramePayloadDataStatusPolicyViolationStatusMessageTooBigStatusMandatoryExtensionStatusInternalErrorStatusServiceRestartStatusTryAgainLaterStatusBadGatewayStatusTLSHandshakethe OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenCertificate Authorities are x509 certificates that are used to sign other
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: --remote-addr option. ngrok requires that you reserve a TCP tunnel
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: set -l directive (string sub --start 2 $results[-1])
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: github.com/pires/go-proxyproto@v0.6.1/addr_proto.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: google.golang.org/grpc@v1.47.0/internal/balancerload/load.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_common.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_no.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v1.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v2.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/lib/web/manifest/loader.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: golang.org/x/sys@v0.0.0-20220722155257-8c9f86f7a55f/windows/svc/eventlog/install.go

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: samlib.dll	Jump to behavior

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static file information: File size 19297280 > 1048576

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x7fd400
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x9d7a00

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3376226974.000001DBC3B47000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2139689030.00000198C2D98000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Process information queried: ProcessInformation

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe VolumeInformation			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
\Device\Mup\user-PC\PIPE\samr	GLS_BINARY_LSB_FIRST	E467C82627F5E1524FDB4415AF19FC73	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://api.ngrok.comhttps://ngrok.com/tosin
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/api
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/api/keys)API
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/api/keys.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscription
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscription-----BEGIN
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscription0001020304050607080910111213141516171819202122232425
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionA
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionAn
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionCPU
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionCreate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionCreates
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionEmpty
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionEndpoints
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionGenerate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionHTTP/1.1
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionID
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionIf
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionInvalid
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionOnly
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionSSH
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionThis
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionYou
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionYour
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptiona
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionif
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptiontls:
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionunable
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenCertificate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenStatusNormalClosureStatusGoingAwayStatusProtoc
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenTunnel
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenUpdates
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenduplicate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenthe
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/security/ip-restrictionsThe
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/signup
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/tunnels/ssh-keys
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/tunnels/ssh-keysa
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dns.google.com/resolve?https://update.equinox.io/checkillegal
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)the
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://github.com/spf13/cobra/issues/1279
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://github.com/spf13/cobra/issues/1508
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/a...Abuse
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/api#authentication)ngrok
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/api#tls-certificates-pem)Certificate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/cloud-edge#compatible-clientsYour
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ngrok.com/docs/errors/err_ngrok_8012
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/ngrok-link#service-api-content-typeOnly
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/ngrok-link#tls-certificates-key)Private
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/tos
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://status.ngrok.com/
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000F6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C000246000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000EE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C000224000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2134733558.000000C000320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C000112000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000F6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000EE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2134733558.000000C000320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-K3RD62G
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000EA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ngrok.com

Source: classification engine

Classification label: sus22.winEXE@6/2@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4784:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	File opened: C:\Windows\system32\284e2d521e76f96e45b73009c145aae39fcc3a980f27ffa0f86c0e7e5b4b42caAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	File opened: C:\Windows\system32\dce5f5269411649a8ed9ec22e2ad213daf3ca6d125e074d57e947b42a22bee83AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: _DATERANGE_GTSVECTOR_INT4RANGE_INT8RANGE_OIDVECTOR_REFCURSOR_REGCONFIG_TIMESTAMP_TINTERVAL_TSTZRANGE__complete_timestamp_tstzrangearg %d: %watomicand8audio/aiffaudio/midiaudio/mpegaudio/waveavx512bf16avx512gfniavx512ifmaavx512vaesavx512vbmiavx512vnnibackgroundbackprime;backsimeq;bad varintbasic-authbasic_authbigotimes;bytes */%dcenterdot;checkmark;cidr-allowcompletioncomplex128complexes;connectingconnectioncontentioncreatetempdebug calldecode: %sdefinitiondependencydeprecateddns: <nil>dnsapi.dlldotsquare;downarrow;error.htmlexitThreadexp masterextensionsfloat32nanfloat64nanfont/woff2formactionformmethodformtargetgetsockoptgo_packagegoogle.comgoroutine grpc.Recv.grpc.Sent.gtrapprox;gtreqless;gvertneqq;heapgrowthheartsuit;http-equivhttp-proxyhttp_proxyimage/avifimage/jpegimage/webpimpossibleinput_typeinstanceofint32Sliceint64Sliceinvalid IPinvalidptrkeep-alivekrbsrvnamelatency_msleftarrow;lesseqgtr;local-addrlog-formatlvertneqq;mSpanInUsematch-typemediagroupmodule.addmultipart-ngeqslant;nleqslant;notifyListnovalidatenparallel;nshortmid;nsubseteq;nsupseteq;oidc-scopeoneof_declowner diedpick_firstpitchfork;powershellpprof_addrprincipalspublic-keyradiogrouprationals;res binderres masterresumptionroundrobinrune <nil>runtime: gs.state = schedtracesemacquireset-cookiesetsockoptshort readsocks bindspadesuit;spellchecksslRequeststackLargestream endsubseteqq;subsetneq;supseteqq;supsetneq;t.Kind == tc_pvalloctc_reallocterminatedtherefore;ticks.locktracefree(tracegc()
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: parse errorpassthroughpb.db_codecplaceholderpostgres://precapprox;proxy-protopurge entryraw-controlread %q: %wreflect.SetreflectOffsremote-addrretry-afterrightarrow;rmoustache;round_robinruntime: P runtime: p runtime\..*scheddetailsechost.dllsecur32.dllserver_addrshell32.dllshort writesqsubseteq;sqsupseteq;sslrootcertstack tracestatus-codestream_idlestringArraystringSlicestringToIntsubsetneqq;succapprox;supsetneqq;tc_memaligntc_newarraytime: file timestamptztls: alert(tracealloc(traffic updtransparentunreachableupuparrows;userenv.dllvalid-aftervalid-untilvarepsilon;varnothing;version.dllwsarecvfromyYnNtTfFoO~ (sensitive) B (
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: .WithDeadline(.in-addr.arpa./abuse_reports/anon_hugepage/requests/http/tunnels/:name01-02\|15:04:05127.0.0.1:4040190734863281252006010215040595367431640625: extra text: :[^/#?()\.\\]+<not Stringer>> :path: [%s]
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: [0m=%s_REGDICTIONARY_TXID_SNAPSHOTaccept-charsetadmin_shutdownallocfreetracebad allocCountbad record MACbad restart PCbad span statebigtriangleup;blacktriangle;body_write_errbuffer is fullbytes %d-%d/%dcannot scan %Tcase_not_foundcertificate-idcommand failedcontent-lengthcrash_shutdowndata truncateddata_corrupteddata_exceptiondeflate decodedivideontimes;document startduplicate_fileelliptic-curveencode requestfailed to authfallingdotseq;fdw_no_schemasfile too largefinalizer waitfirst_settingsformnovalidategcstoptheworldgetprotobynamegrouping_errorgrpc-trace-binhelp [command]hookleftarrow;http_proxy_envint4multirangeint8multirangeinternal errorinternal_errorinvalid Prefixinvalid kind: invalid methodinvalid statusinvalid syntaxis a directorykey size wrongleftarrowtail;leftharpoonup;len of type %slevel 2 haltedlevel 3 haltedlongleftarrow;looparrowleft;measuredangle;memory storagemessage is nilmodule.enabledmutual-tls-casneed more datangrok-diagnosenil elem type!no module datano such deviceno such regionnot an ip:portntriangleleft;oidc-client-idoidc.client-idpb.dash_unsafepb.enum_prefixping_on_streampollCache.lockpostgresql.crtpostgresql.keyprefix length protobuf errorprotobuf_oneofprotocol errorquery_canceledread mem statsread_frame_eofrequested stopreserved-addrsreserved_rangeruntime: full=runtime\.panics.allocCount= semaRoot queuesequence startsession closedshortparallel;show_sensitivesignal handlersmallsetminus;stack overflowstarted tunnelstopm spinningstore64 failedstringToStringsync.Cond.Waittc_deletearraytc_new_nothrowtext file busytoo many linkstoo many userstrailers_bogustriangleright;trimRightSpaceundefined_fileunexpected EOFunknown code: unknown error unknown methodunknown mode: unknown node: unreachable: unsafe.Pointerupdate appliedupdate_channelupharpoonleft;varsubsetneqq;varsupsetneqq;verify-webhookwinapi error #work.full != 0zero parameter with GC prog
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Operation ID: %sambiguous_functionappendIfNotPresentapplication/x-gzipbackend.backend-idbad Content-Lengthbad authenticationbad extended rcodebad lfnode addressbad manualFreeListbad resolver stateblacktriangledown;blacktriangleleft;bufio: buffer fullcannot_connect_nowcleantimers: bad pcollation_mismatchconnection is idleconnection refusedconnection_failurecontext.Backgrounddecoding error: %vdelete-certificatedeprecated_featuredetect init systemduplicate name: %qduplicate_databaseduplicate_functionelem align too bigempty Huffman treeevent-destinationsexceeded max depthexpected element <export restrictionextra_float_digitsfailed to ping: %wfailed to read: %wfaketimeState.lockfdw_invalid_handlefile name too longflag %q contains =flag redefined: %sforEachP: not doneframe_goaway_shortgarbage collectionhalf join completeheartbeat receivedhttp: no such fileidentifier removedin numeric literalindex out of rangeindicator_overflowinput/output errorinvalid IP addressinvalid XML name: invalid character invalid config: %vinvalid hex formatinvalid length: %dinvalid length: %vkerberos error: %sleftrightharpoons;len of nil pointerless than a minutelock_not_availablemalloc_zone_callocmalloc_zone_mallocmalloc_zone_vallocmodule.force-authnmodule.min-versionmodule.num-bucketsmultihop attemptedmutual-tls.enablednegative bit indexnegative_int_valuenetip.ParsePrefix(ngrok-api-client/0no child processesno locks availableno secrets definedno signature foundnon-minimal lengthnot_null_violationoauth-allow-domainoidc app client idoidc-client-secretoidc.client-secretoidc.cookie-prefixoperation canceledoverflow packing apermessage-deflateport not a number?positive_int_valueprivate-key-formatprotocol_violationproxy-authenticateread timed out: %wreceived from peerreflect.Value.Callreflect.Value.Elemreflect.Value.Sendreflect.Value.Typereflect.Value.Uintreflect: Zero(nil)request-header-addrestrict_violationrightleftharpoons;runtime.semacreateruntime.semawakeupruntime: npages = runtime: range = {runtime: textAddr saml.cookie-prefixsaml.nameid-formatsegmentation faultsequence truncatedsilence-semicolonsstart a TCP tunnelstart a TLS tunnelstarting componentstatic/favicon.icostreams pipe errorsystem page size (tag:yaml.org,2002:termbox.EventErrortext/javascript1.0text/javascript1.1text/javascript1.2text/javascript1.3text/javascript1.4text/javascript1.5the stream is donetoo_many_argumentstracebackancestorstrailers_not_endedtruncated sequencetwoheadrightarrow;unable to parse IPundefined_functionunexpected messageunexpected newlineunexpected type %Tunknown error: %#vunknown flag: --%sunknown service %vunknown time zone update in progressuse of closed fileuse tcp keep-alivevalue out of rangewaiting for update commands+=(%q)
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: panic holding lockspanicwrap: no ( in panicwrap: no ) in parsing profile: %vpb.cli_pretty_printpb/extensions.protoproxy-authorizationpy_generic_servicesrange too short: %vreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Slicerequest body closedrequest-headers.addresponding with 502response-header-addrevoked certificatersa: internal errorruntime: g0 stack [runtime: pcdata is runtime: preempt g0runtime\.call[0-9]*sampling period=%d
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: after top-level valuearray_subscript_errorasync stack too largeat range loop break: bad magic value foundbad number syntax: %qbad type in compare: block device requiredbuffer size too smallbufio: negative countcannot marshal type: cannot put %d into %Tcardinality_violationcheckdead: runnable gcommand not supportedconcurrent map writesdecompression failuredefer on system stackdiagnostics_exceptionexec: already startedexpected DOCUMENT-ENDexpected STREAM-STARTfailed to deserializefdw_invalid_data_typefeature not supportedfeature_not_supportedfindrunnable: wrong pflag %q begins with -flow control violatedforeign_key_violationframe_ping_has_streamgoogle.protobuf.Valuehttp: Handler timeouthttp: invalid patternhttp: nil Request.URLhttps-edge-mutual-tlshttps-edge-route-oidchttps-edge-route-samlhttps://api.ngrok.comhttps://ngrok.com/tosin string escape codeinternal server errorinvalid NumericStringinvalid emitter stateinvalid named captureinvalid nil Timestampinvalid scalar lengthinvalid stream id: %djava_generic_serviceskey is not comparablelink has been severedlistening on %s (%s)
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Press return to continue...ReservedAddrUnavailableCodeRun '%v --help' for usage.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Press return to continue...ReservedAddrUnavailableCodeRun '%v --help' for usage.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: .lib section in a.out corrupted/edges/tls/{{ .ID }}/mutual_tls/tunnel_sessions/{{ .ID }}/stop11368683772161602973937988281252006-1-2T15:4:5.999999999Z07:002006-1-2t15:4:5.999999999Z07:005684341886080801486968994140625APIRequestRateLimitExceededCodeAccount name must not be empty.BackendStaticAddressInvalidCodeBackendStaticAddressMissingCodeBillingAddressInvalidLengthCodeBillingEmailDeleteProtectedCodeBindACLForbidsRandomAddressCodeBindAgentDuplicateAddHeaderCodeBindConfigDisallowsIPPolicyCodeBindDomainBadPunycodePrefixCodeBindLabeledTunnelNotAllowedCodeBindTunnelRateLimitExceededCodeCLIENT_HANDSHAKE_TRAFFIC_SECRETCentral Brazilian Standard TimeCertDuplicateCertificateContextCertsSSHCAPublicKeyRequiredCodeCertsSSHCARateLimitExceededCodeDashClientNoChangesToSubmitCodeDashUserBelongsToNoAccountsCodeDuration value not an int64: %TEdgeHeaderKeyLengthExceededCodeEdgeHeaderValLengthExceededCodeEdgeOAuthEmailDomainTooLongCodeEdgeOAuthExactlyOneProviderCodeEdgeOAuthGoogleGroupTooLongCodeEdgeOAuthInvalidEmailDomainCodeEdgeOIDCCheckIntervalTooLowCodeEdgeOIDCClientSecretTooLongCodeEdgeOIDCCookiePrefixTooLongCodeEdgeSAMLIdPMetadataRequiredCodeEventDestinationMissingAuthCodeEventDestinationTooMuchAuthCodeEventSubscriptionNotAllowedCodeFeatureRequestLengthInvalidCodeMembershipsCreateDisallowedCodeMembershipsRemoveDisallowedCodeMountain Standard Time (Mexico)Mozilla/5.0 (compatible; ngrok)MwCompileBackendAddrInvalidCodeMwCompileHTTPMuxPathTooLongCodeMwCompileHandlerTypeInvalidCodeMwCompileIPFilterNoIPPolicyCodeMwRuntimeHTTPBackendTimeoutCodeMwRuntimeNoBackendAvailableCodeNetwork Authentication RequiredNgrok Connectivity - Region: %sPRIORITY frame with stream ID 0Public key is missing or empty.Request Header Fields Too LargeRequested Range Not SatisfiableReservedAddrDescrCharsLimitCodeReservedCustomExistingCNAMECodeReservedDomainCNAMENotFoundCodeReservedDomainInvalidPrefixCodeReservedDomainInvalidRegionCodeReservedDomainInvalidSuffixCodeReservedDomainWildcardLimitCodeResolver state updated: %s (%v)SERVER_HANDSHAKE_TRAFFIC_SECRETSSHTunnelNoMultipleForwardsCodeSSHTunnelPortForwardTimeoutCodeSSHTunnelPublicKeysNotFoundCodeSSHTunnelUpdateNotSupportedCodeSetupDiGetDeviceInfoListDetailWShellCompDirectiveFilterFileExtTLS: sequence number wraparoundTLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384TunnelV2RestartNotSupportedCodeUsersDeleteBannedDisallowedCodeValid configuration file at %s
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: .lib section in a.out corrupted/edges/tls/{{ .ID }}/mutual_tls/tunnel_sessions/{{ .ID }}/stop11368683772161602973937988281252006-1-2T15:4:5.999999999Z07:002006-1-2t15:4:5.999999999Z07:005684341886080801486968994140625APIRequestRateLimitExceededCodeAccount name must not be empty.BackendStaticAddressInvalidCodeBackendStaticAddressMissingCodeBillingAddressInvalidLengthCodeBillingEmailDeleteProtectedCodeBindACLForbidsRandomAddressCodeBindAgentDuplicateAddHeaderCodeBindConfigDisallowsIPPolicyCodeBindDomainBadPunycodePrefixCodeBindLabeledTunnelNotAllowedCodeBindTunnelRateLimitExceededCodeCLIENT_HANDSHAKE_TRAFFIC_SECRETCentral Brazilian Standard TimeCertDuplicateCertificateContextCertsSSHCAPublicKeyRequiredCodeCertsSSHCARateLimitExceededCodeDashClientNoChangesToSubmitCodeDashUserBelongsToNoAccountsCodeDuration value not an int64: %TEdgeHeaderKeyLengthExceededCodeEdgeHeaderValLengthExceededCodeEdgeOAuthEmailDomainTooLongCodeEdgeOAuthExactlyOneProviderCodeEdgeOAuthGoogleGroupTooLongCodeEdgeOAuthInvalidEmailDomainCodeEdgeOIDCCheckIntervalTooLowCodeEdgeOIDCClientSecretTooLongCodeEdgeOIDCCookiePrefixTooLongCodeEdgeSAMLIdPMetadataRequiredCodeEventDestinationMissingAuthCodeEventDestinationTooMuchAuthCodeEventSubscriptionNotAllowedCodeFeatureRequestLengthInvalidCodeMembershipsCreateDisallowedCodeMembershipsRemoveDisallowedCodeMountain Standard Time (Mexico)Mozilla/5.0 (compatible; ngrok)MwCompileBackendAddrInvalidCodeMwCompileHTTPMuxPathTooLongCodeMwCompileHandlerTypeInvalidCodeMwCompileIPFilterNoIPPolicyCodeMwRuntimeHTTPBackendTimeoutCodeMwRuntimeNoBackendAvailableCodeNetwork Authentication RequiredNgrok Connectivity - Region: %sPRIORITY frame with stream ID 0Public key is missing or empty.Request Header Fields Too LargeRequested Range Not SatisfiableReservedAddrDescrCharsLimitCodeReservedCustomExistingCNAMECodeReservedDomainCNAMENotFoundCodeReservedDomainInvalidPrefixCodeReservedDomainInvalidRegionCodeReservedDomainInvalidSuffixCodeReservedDomainWildcardLimitCodeResolver state updated: %s (%v)SERVER_HANDSHAKE_TRAFFIC_SECRETSSHTunnelNoMultipleForwardsCodeSSHTunnelPortForwardTimeoutCodeSSHTunnelPublicKeysNotFoundCodeSSHTunnelUpdateNotSupportedCodeSetupDiGetDeviceInfoListDetailWShellCompDirectiveFilterFileExtTLS: sequence number wraparoundTLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384TunnelV2RestartNotSupportedCodeUsersDeleteBannedDisallowedCodeValid configuration file at %s
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: ; EDNS: version asn1: Unmarshal recipient value is nil bad value in StructValue for key %q: %vbuild line missing '=' after quoted keycan't unmarshal Any nested proto %v: %vcannot assign all values from BoolArraycannot assign all values from CIDRArraycannot assign all values from DateArraycannot assign all values from InetArraycannot assign all values from Int2Arraycannot assign all values from Int4Arraycannot assign all values from Int8Arraycannot assign all values from TextArraycannot assign all values from UUIDArraycannot convert all values to ByteaArraycannot convert all values to JSONBArraycannot decode node with unknown kind %dcannot encode node with unknown kind %dcannot marshal invalid UTF-8 data as %scertificate-management-policy.authoritychain is not signed by an acceptable CAcipher: incorrect tag size given to GCMcobra_annotation_bash_completion_customcobra_annotation_required_if_others_setcomment length insufficient for parsingconfigured to dial out via SOCKS5 Proxycould not establish any TCP connectionscould not establish any TLS connectionscrypto/rsa: invalid options for Decryptcsv: invalid field or comment delimiterdid not find expected hexdecimal numberdns: TXT record %v missing %v attributedriver.Valuer Value() method failed: %wexpected space in input to match formatextraneous or missing " in quoted-fieldfailed to deserialize request parameterfailed to fetch http entries from storefailed to parse filepath pattern %q: %wfailed to write postgres handshake bytefdw_inconsistent_descriptor_informationfdw_invalid_descriptor_field_identifierfound an incorrect trailing UTF-8 octetgoogle.golang.org/genproto/protobuf/apigoogle.golang.org/protobuf/types/known/heapBitsSetTypeGCProg: small allocationhttp: putIdleConn: keep alives disabledinvalid indexed representation index %dinvalid value: merging into nil messageinvalid_argument_for_nth_value_functionmartini handler must be a callable funcmath/big: buffer too small to fit valuemismatched count during itab table copymismatched message type: got %q want %qmissing argument to repetition operatormissing verb: % at end of format stringmodule.provider.microsoft.client-secretmodule.provider.microsoft.email-domainsmspan.sweep: bad span state after sweepmultipart: can't write to finished partnegative minwidth, tabwidth, or paddingngrok is not yet ready to start tunnelsno mutually supported protocol versionsoauth.provider.facebook.email-addressesout of memory allocating heap arena mappq: only text format supported for COPYprevious message not read to completionprints author and licensing informationproxyproto: can't read version 1 headerreflect.MakeMapWithSize of non-map typeresolver returned an empty address listruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=runtime: duplicatehandle failed; errno=session closed, starting reconnect loopsigns of seconds and nanos do not matchstack growth not allowed in system callstatic/assets/82b1212e45a2bc35dd73.woffstatic/css/app.6adde
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: ngrok is a command line application, try typing 'ngrok.exe http 80'big: invalid 2nd argument to Int.Jacobi: need odd integer but got %scan not look up shorthand which is more than one ASCII character: %qcannot assign %v, needed to assign %d elements, but only assigned %dconfig contains tab characters, YAML must use spaces for indentationcrypto/hmac: hash generation function does not produce unique valuesembedded IPv4 address must replace the final 2 fields of the addressexpected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vextension %v does not implement protoreflect.ExtensionTypeDescriptorheap profile: (\d+): (\d+) \[ (\d+): (\d+) \] @ fragmentationzhttp2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qinvalid proto.Message(%T) type, expected a protoreflect.Message typeinvalid retry throttling config: tokenRatio (%v) may not be negativengrok gateway timeout
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: ngrok tcp --remote-addr=1.tcp.ngrok.io:27210 3389The time when this host certificate becomes invalid, in RFC 3339 format. If unspecified, a default value of 24 hours will be used. The OpenSSH certificates RFC calls this valid_before.Only Enterprise plans can use tunnel ACL rules.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Install your authoken: https://dashboard.ngrok.com/get-started/your-authtokenduplicate registration of %q
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenthe list of principals included in the ssh host certificate. This is the list of hostnames and/or IP addresses that are authorized to serve SSH traffic with this certificate. Dangerously, if no principals are specified, this certificate is considered valid for all hosts.Labeled tunnels are only available after you sign up.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenTunnel Credentials are ngrok agent authtokens. They authorize the ngrok
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenUpdates a TCP Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates a TLS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates an HTTPS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Defines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizing the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See (https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)the OpenSSH certificate protocol spec for additional details.Forwarding to a local file:/// URL is only available after you sign up.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenUpdates a TCP Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates a TLS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates an HTTPS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Defines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizing the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See (https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)the OpenSSH certificate protocol spec for additional details.Forwarding to a local file:/// URL is only available after you sign up.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenUpdates an HTTPS Edge Route by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorIf true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.API Keys are used to authenticate to the (https://ngrok.com/docs/api#authentication)ngrok
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenStatusNormalClosureStatusGoingAwayStatusProtocolErrorStatusUnsupportedDatastatusReservedStatusNoStatusRcvdStatusAbnormalClosureStatusInvalidFramePayloadDataStatusPolicyViolationStatusMessageTooBigStatusMandatoryExtensionStatusInternalErrorStatusServiceRestartStatusTryAgainLaterStatusBadGatewayStatusTLSHandshakethe OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenCertificate Authorities are x509 certificates that are used to sign other
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: --remote-addr option. ngrok requires that you reserve a TCP tunnel
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: set -l directive (string sub --start 2 $results[-1])
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: github.com/pires/go-proxyproto@v0.6.1/addr_proto.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: google.golang.org/grpc@v1.47.0/internal/balancerload/load.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_common.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_no.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v1.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v2.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/lib/web/manifest/loader.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: golang.org/x/sys@v0.0.0-20220722155257-8c9f86f7a55f/windows/svc/eventlog/install.go

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: samlib.dll	Jump to behavior

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static file information: File size 19297280 > 1048576

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x7fd400
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x9d7a00

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains sections with non-standard names

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Process information queried: ProcessInformation

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe VolumeInformation			Jump to behavior

ID:	1437706
Product:	CloudBasic
Start time:	20:26:23
Start date:	07.05.2024
Sample:	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f886615860dbbcd3fe966cf1c79203f9
SHA1:	cdcce183c817b5a291dd2a3d6ef6dca93ce3f01d
SHA256:	5a0ae314a3ccfcd8e2a77585fb96f650574aac0d5dcb48a85f2f4e0be698845f
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Windows Analysis Report
SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe