Edit tour

Windows Analysis Report
SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Overview

General Information

Sample name:	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe
Analysis ID:	1437706
MD5:	f886615860dbbcd3fe966cf1c79203f9
SHA1:	cdcce183c817b5a291dd2a3d6ef6dca93ce3f01d
SHA256:	5a0ae314a3ccfcd8e2a77585fb96f650574aac0d5dcb48a85f2f4e0be698845f
Tags:	exe
Infos:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly

Creates a process in suspended mode (likely to inject code)

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample reads itself and does not show any behavior, likely it performs some host environment checks which are compared to an embedded key

Process Tree

System is w10x64

SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe (PID: 5352 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe" MD5: F886615860DBBCD3FE966CF1C79203F9)

conhost.exe (PID: 4784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe (PID: 2784 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe MD5: F886615860DBBCD3FE966CF1C79203F9)

cmd.exe (PID: 4144 cmdline: cmd.exe /K MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

System Summary

Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /K, CommandLine: cmd.exe /K, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, ParentProcessId: 5352, ParentProcessName: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, ProcessCommandLine: cmd.exe /K, ProcessId: 4144, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://api.ngrok.comhttps://ngrok.com/tosin
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/api
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/api/keys)API
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/api/keys.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscription
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscription-----BEGIN
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscription0001020304050607080910111213141516171819202122232425
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionA
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionAn
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionCPU
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionCreate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionCreates
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionEmpty
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionEndpoints
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionGenerate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionHTTP/1.1
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionID
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionIf
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionInvalid
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionOnly
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionSSH
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionThis
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionYou
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionYour
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptiona
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionif
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptiontls:
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscriptionunable
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenCertificate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenStatusNormalClosureStatusGoingAwayStatusProtoc
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenTunnel
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenUpdates
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenduplicate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/get-started/your-authtokenthe
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/security/ip-restrictionsThe
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/signup
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/tunnels/ssh-keys
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dashboard.ngrok.com/tunnels/ssh-keysa
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://dns.google.com/resolve?https://update.equinox.io/checkillegal
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)the
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://github.com/spf13/cobra/issues/1279
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://github.com/spf13/cobra/issues/1508
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/a...Abuse
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/api#authentication)ngrok
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/api#tls-certificates-pem)Certificate
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/cloud-edge#compatible-clientsYour
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ngrok.com/docs/errors/err_ngrok_8012
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/ngrok-link#service-api-content-typeOnly
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/docs/ngrok-link#tls-certificates-key)Private
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://ngrok.com/tos
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: https://status.ngrok.com/
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000F6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C000246000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000EE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C000224000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2134733558.000000C000320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C000112000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000F6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000EE000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000A2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2134733558.000000C000320000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-K3RD62G
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000EA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ngrok.com

Source: classification engine

Classification label: sus22.winEXE@6/2@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4784:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	File opened: C:\Windows\system32\284e2d521e76f96e45b73009c145aae39fcc3a980f27ffa0f86c0e7e5b4b42caAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	File opened: C:\Windows\system32\dce5f5269411649a8ed9ec22e2ad213daf3ca6d125e074d57e947b42a22bee83AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: _DATERANGE_GTSVECTOR_INT4RANGE_INT8RANGE_OIDVECTOR_REFCURSOR_REGCONFIG_TIMESTAMP_TINTERVAL_TSTZRANGE__complete_timestamp_tstzrangearg %d: %watomicand8audio/aiffaudio/midiaudio/mpegaudio/waveavx512bf16avx512gfniavx512ifmaavx512vaesavx512vbmiavx512vnnibackgroundbackprime;backsimeq;bad varintbasic-authbasic_authbigotimes;bytes */%dcenterdot;checkmark;cidr-allowcompletioncomplex128complexes;connectingconnectioncontentioncreatetempdebug calldecode: %sdefinitiondependencydeprecateddns: <nil>dnsapi.dlldotsquare;downarrow;error.htmlexitThreadexp masterextensionsfloat32nanfloat64nanfont/woff2formactionformmethodformtargetgetsockoptgo_packagegoogle.comgoroutine grpc.Recv.grpc.Sent.gtrapprox;gtreqless;gvertneqq;heapgrowthheartsuit;http-equivhttp-proxyhttp_proxyimage/avifimage/jpegimage/webpimpossibleinput_typeinstanceofint32Sliceint64Sliceinvalid IPinvalidptrkeep-alivekrbsrvnamelatency_msleftarrow;lesseqgtr;local-addrlog-formatlvertneqq;mSpanInUsematch-typemediagroupmodule.addmultipart-ngeqslant;nleqslant;notifyListnovalidatenparallel;nshortmid;nsubseteq;nsupseteq;oidc-scopeoneof_declowner diedpick_firstpitchfork;powershellpprof_addrprincipalspublic-keyradiogrouprationals;res binderres masterresumptionroundrobinrune <nil>runtime: gs.state = schedtracesemacquireset-cookiesetsockoptshort readsocks bindspadesuit;spellchecksslRequeststackLargestream endsubseteqq;subsetneq;supseteqq;supsetneq;t.Kind == tc_pvalloctc_reallocterminatedtherefore;ticks.locktracefree(tracegc()
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: parse errorpassthroughpb.db_codecplaceholderpostgres://precapprox;proxy-protopurge entryraw-controlread %q: %wreflect.SetreflectOffsremote-addrretry-afterrightarrow;rmoustache;round_robinruntime: P runtime: p runtime\..*scheddetailsechost.dllsecur32.dllserver_addrshell32.dllshort writesqsubseteq;sqsupseteq;sslrootcertstack tracestatus-codestream_idlestringArraystringSlicestringToIntsubsetneqq;succapprox;supsetneqq;tc_memaligntc_newarraytime: file timestamptztls: alert(tracealloc(traffic updtransparentunreachableupuparrows;userenv.dllvalid-aftervalid-untilvarepsilon;varnothing;version.dllwsarecvfromyYnNtTfFoO~ (sensitive) B (
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: .WithDeadline(.in-addr.arpa./abuse_reports/anon_hugepage/requests/http/tunnels/:name01-02\|15:04:05127.0.0.1:4040190734863281252006010215040595367431640625: extra text: :[^/#?()\.\\]+<not Stringer>> :path: [%s]
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: [0m=%s_REGDICTIONARY_TXID_SNAPSHOTaccept-charsetadmin_shutdownallocfreetracebad allocCountbad record MACbad restart PCbad span statebigtriangleup;blacktriangle;body_write_errbuffer is fullbytes %d-%d/%dcannot scan %Tcase_not_foundcertificate-idcommand failedcontent-lengthcrash_shutdowndata truncateddata_corrupteddata_exceptiondeflate decodedivideontimes;document startduplicate_fileelliptic-curveencode requestfailed to authfallingdotseq;fdw_no_schemasfile too largefinalizer waitfirst_settingsformnovalidategcstoptheworldgetprotobynamegrouping_errorgrpc-trace-binhelp [command]hookleftarrow;http_proxy_envint4multirangeint8multirangeinternal errorinternal_errorinvalid Prefixinvalid kind: invalid methodinvalid statusinvalid syntaxis a directorykey size wrongleftarrowtail;leftharpoonup;len of type %slevel 2 haltedlevel 3 haltedlongleftarrow;looparrowleft;measuredangle;memory storagemessage is nilmodule.enabledmutual-tls-casneed more datangrok-diagnosenil elem type!no module datano such deviceno such regionnot an ip:portntriangleleft;oidc-client-idoidc.client-idpb.dash_unsafepb.enum_prefixping_on_streampollCache.lockpostgresql.crtpostgresql.keyprefix length protobuf errorprotobuf_oneofprotocol errorquery_canceledread mem statsread_frame_eofrequested stopreserved-addrsreserved_rangeruntime: full=runtime\.panics.allocCount= semaRoot queuesequence startsession closedshortparallel;show_sensitivesignal handlersmallsetminus;stack overflowstarted tunnelstopm spinningstore64 failedstringToStringsync.Cond.Waittc_deletearraytc_new_nothrowtext file busytoo many linkstoo many userstrailers_bogustriangleright;trimRightSpaceundefined_fileunexpected EOFunknown code: unknown error unknown methodunknown mode: unknown node: unreachable: unsafe.Pointerupdate appliedupdate_channelupharpoonleft;varsubsetneqq;varsupsetneqq;verify-webhookwinapi error #work.full != 0zero parameter with GC prog
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Operation ID: %sambiguous_functionappendIfNotPresentapplication/x-gzipbackend.backend-idbad Content-Lengthbad authenticationbad extended rcodebad lfnode addressbad manualFreeListbad resolver stateblacktriangledown;blacktriangleleft;bufio: buffer fullcannot_connect_nowcleantimers: bad pcollation_mismatchconnection is idleconnection refusedconnection_failurecontext.Backgrounddecoding error: %vdelete-certificatedeprecated_featuredetect init systemduplicate name: %qduplicate_databaseduplicate_functionelem align too bigempty Huffman treeevent-destinationsexceeded max depthexpected element <export restrictionextra_float_digitsfailed to ping: %wfailed to read: %wfaketimeState.lockfdw_invalid_handlefile name too longflag %q contains =flag redefined: %sforEachP: not doneframe_goaway_shortgarbage collectionhalf join completeheartbeat receivedhttp: no such fileidentifier removedin numeric literalindex out of rangeindicator_overflowinput/output errorinvalid IP addressinvalid XML name: invalid character invalid config: %vinvalid hex formatinvalid length: %dinvalid length: %vkerberos error: %sleftrightharpoons;len of nil pointerless than a minutelock_not_availablemalloc_zone_callocmalloc_zone_mallocmalloc_zone_vallocmodule.force-authnmodule.min-versionmodule.num-bucketsmultihop attemptedmutual-tls.enablednegative bit indexnegative_int_valuenetip.ParsePrefix(ngrok-api-client/0no child processesno locks availableno secrets definedno signature foundnon-minimal lengthnot_null_violationoauth-allow-domainoidc app client idoidc-client-secretoidc.client-secretoidc.cookie-prefixoperation canceledoverflow packing apermessage-deflateport not a number?positive_int_valueprivate-key-formatprotocol_violationproxy-authenticateread timed out: %wreceived from peerreflect.Value.Callreflect.Value.Elemreflect.Value.Sendreflect.Value.Typereflect.Value.Uintreflect: Zero(nil)request-header-addrestrict_violationrightleftharpoons;runtime.semacreateruntime.semawakeupruntime: npages = runtime: range = {runtime: textAddr saml.cookie-prefixsaml.nameid-formatsegmentation faultsequence truncatedsilence-semicolonsstart a TCP tunnelstart a TLS tunnelstarting componentstatic/favicon.icostreams pipe errorsystem page size (tag:yaml.org,2002:termbox.EventErrortext/javascript1.0text/javascript1.1text/javascript1.2text/javascript1.3text/javascript1.4text/javascript1.5the stream is donetoo_many_argumentstracebackancestorstrailers_not_endedtruncated sequencetwoheadrightarrow;unable to parse IPundefined_functionunexpected messageunexpected newlineunexpected type %Tunknown error: %#vunknown flag: --%sunknown service %vunknown time zone update in progressuse of closed fileuse tcp keep-alivevalue out of rangewaiting for update commands+=(%q)
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: panic holding lockspanicwrap: no ( in panicwrap: no ) in parsing profile: %vpb.cli_pretty_printpb/extensions.protoproxy-authorizationpy_generic_servicesrange too short: %vreflect.Value.Fieldreflect.Value.Floatreflect.Value.Indexreflect.Value.IsNilreflect.Value.Slicerequest body closedrequest-headers.addresponding with 502response-header-addrevoked certificatersa: internal errorruntime: g0 stack [runtime: pcdata is runtime: preempt g0runtime\.call[0-9]*sampling period=%d
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: after top-level valuearray_subscript_errorasync stack too largeat range loop break: bad magic value foundbad number syntax: %qbad type in compare: block device requiredbuffer size too smallbufio: negative countcannot marshal type: cannot put %d into %Tcardinality_violationcheckdead: runnable gcommand not supportedconcurrent map writesdecompression failuredefer on system stackdiagnostics_exceptionexec: already startedexpected DOCUMENT-ENDexpected STREAM-STARTfailed to deserializefdw_invalid_data_typefeature not supportedfeature_not_supportedfindrunnable: wrong pflag %q begins with -flow control violatedforeign_key_violationframe_ping_has_streamgoogle.protobuf.Valuehttp: Handler timeouthttp: invalid patternhttp: nil Request.URLhttps-edge-mutual-tlshttps-edge-route-oidchttps-edge-route-samlhttps://api.ngrok.comhttps://ngrok.com/tosin string escape codeinternal server errorinvalid NumericStringinvalid emitter stateinvalid named captureinvalid nil Timestampinvalid scalar lengthinvalid stream id: %djava_generic_serviceskey is not comparablelink has been severedlistening on %s (%s)
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Press return to continue...ReservedAddrUnavailableCodeRun '%v --help' for usage.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Press return to continue...ReservedAddrUnavailableCodeRun '%v --help' for usage.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: .lib section in a.out corrupted/edges/tls/{{ .ID }}/mutual_tls/tunnel_sessions/{{ .ID }}/stop11368683772161602973937988281252006-1-2T15:4:5.999999999Z07:002006-1-2t15:4:5.999999999Z07:005684341886080801486968994140625APIRequestRateLimitExceededCodeAccount name must not be empty.BackendStaticAddressInvalidCodeBackendStaticAddressMissingCodeBillingAddressInvalidLengthCodeBillingEmailDeleteProtectedCodeBindACLForbidsRandomAddressCodeBindAgentDuplicateAddHeaderCodeBindConfigDisallowsIPPolicyCodeBindDomainBadPunycodePrefixCodeBindLabeledTunnelNotAllowedCodeBindTunnelRateLimitExceededCodeCLIENT_HANDSHAKE_TRAFFIC_SECRETCentral Brazilian Standard TimeCertDuplicateCertificateContextCertsSSHCAPublicKeyRequiredCodeCertsSSHCARateLimitExceededCodeDashClientNoChangesToSubmitCodeDashUserBelongsToNoAccountsCodeDuration value not an int64: %TEdgeHeaderKeyLengthExceededCodeEdgeHeaderValLengthExceededCodeEdgeOAuthEmailDomainTooLongCodeEdgeOAuthExactlyOneProviderCodeEdgeOAuthGoogleGroupTooLongCodeEdgeOAuthInvalidEmailDomainCodeEdgeOIDCCheckIntervalTooLowCodeEdgeOIDCClientSecretTooLongCodeEdgeOIDCCookiePrefixTooLongCodeEdgeSAMLIdPMetadataRequiredCodeEventDestinationMissingAuthCodeEventDestinationTooMuchAuthCodeEventSubscriptionNotAllowedCodeFeatureRequestLengthInvalidCodeMembershipsCreateDisallowedCodeMembershipsRemoveDisallowedCodeMountain Standard Time (Mexico)Mozilla/5.0 (compatible; ngrok)MwCompileBackendAddrInvalidCodeMwCompileHTTPMuxPathTooLongCodeMwCompileHandlerTypeInvalidCodeMwCompileIPFilterNoIPPolicyCodeMwRuntimeHTTPBackendTimeoutCodeMwRuntimeNoBackendAvailableCodeNetwork Authentication RequiredNgrok Connectivity - Region: %sPRIORITY frame with stream ID 0Public key is missing or empty.Request Header Fields Too LargeRequested Range Not SatisfiableReservedAddrDescrCharsLimitCodeReservedCustomExistingCNAMECodeReservedDomainCNAMENotFoundCodeReservedDomainInvalidPrefixCodeReservedDomainInvalidRegionCodeReservedDomainInvalidSuffixCodeReservedDomainWildcardLimitCodeResolver state updated: %s (%v)SERVER_HANDSHAKE_TRAFFIC_SECRETSSHTunnelNoMultipleForwardsCodeSSHTunnelPortForwardTimeoutCodeSSHTunnelPublicKeysNotFoundCodeSSHTunnelUpdateNotSupportedCodeSetupDiGetDeviceInfoListDetailWShellCompDirectiveFilterFileExtTLS: sequence number wraparoundTLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384TunnelV2RestartNotSupportedCodeUsersDeleteBannedDisallowedCodeValid configuration file at %s
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: .lib section in a.out corrupted/edges/tls/{{ .ID }}/mutual_tls/tunnel_sessions/{{ .ID }}/stop11368683772161602973937988281252006-1-2T15:4:5.999999999Z07:002006-1-2t15:4:5.999999999Z07:005684341886080801486968994140625APIRequestRateLimitExceededCodeAccount name must not be empty.BackendStaticAddressInvalidCodeBackendStaticAddressMissingCodeBillingAddressInvalidLengthCodeBillingEmailDeleteProtectedCodeBindACLForbidsRandomAddressCodeBindAgentDuplicateAddHeaderCodeBindConfigDisallowsIPPolicyCodeBindDomainBadPunycodePrefixCodeBindLabeledTunnelNotAllowedCodeBindTunnelRateLimitExceededCodeCLIENT_HANDSHAKE_TRAFFIC_SECRETCentral Brazilian Standard TimeCertDuplicateCertificateContextCertsSSHCAPublicKeyRequiredCodeCertsSSHCARateLimitExceededCodeDashClientNoChangesToSubmitCodeDashUserBelongsToNoAccountsCodeDuration value not an int64: %TEdgeHeaderKeyLengthExceededCodeEdgeHeaderValLengthExceededCodeEdgeOAuthEmailDomainTooLongCodeEdgeOAuthExactlyOneProviderCodeEdgeOAuthGoogleGroupTooLongCodeEdgeOAuthInvalidEmailDomainCodeEdgeOIDCCheckIntervalTooLowCodeEdgeOIDCClientSecretTooLongCodeEdgeOIDCCookiePrefixTooLongCodeEdgeSAMLIdPMetadataRequiredCodeEventDestinationMissingAuthCodeEventDestinationTooMuchAuthCodeEventSubscriptionNotAllowedCodeFeatureRequestLengthInvalidCodeMembershipsCreateDisallowedCodeMembershipsRemoveDisallowedCodeMountain Standard Time (Mexico)Mozilla/5.0 (compatible; ngrok)MwCompileBackendAddrInvalidCodeMwCompileHTTPMuxPathTooLongCodeMwCompileHandlerTypeInvalidCodeMwCompileIPFilterNoIPPolicyCodeMwRuntimeHTTPBackendTimeoutCodeMwRuntimeNoBackendAvailableCodeNetwork Authentication RequiredNgrok Connectivity - Region: %sPRIORITY frame with stream ID 0Public key is missing or empty.Request Header Fields Too LargeRequested Range Not SatisfiableReservedAddrDescrCharsLimitCodeReservedCustomExistingCNAMECodeReservedDomainCNAMENotFoundCodeReservedDomainInvalidPrefixCodeReservedDomainInvalidRegionCodeReservedDomainInvalidSuffixCodeReservedDomainWildcardLimitCodeResolver state updated: %s (%v)SERVER_HANDSHAKE_TRAFFIC_SECRETSSHTunnelNoMultipleForwardsCodeSSHTunnelPortForwardTimeoutCodeSSHTunnelPublicKeysNotFoundCodeSSHTunnelUpdateNotSupportedCodeSetupDiGetDeviceInfoListDetailWShellCompDirectiveFilterFileExtTLS: sequence number wraparoundTLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384TunnelV2RestartNotSupportedCodeUsersDeleteBannedDisallowedCodeValid configuration file at %s
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: ; EDNS: version asn1: Unmarshal recipient value is nil bad value in StructValue for key %q: %vbuild line missing '=' after quoted keycan't unmarshal Any nested proto %v: %vcannot assign all values from BoolArraycannot assign all values from CIDRArraycannot assign all values from DateArraycannot assign all values from InetArraycannot assign all values from Int2Arraycannot assign all values from Int4Arraycannot assign all values from Int8Arraycannot assign all values from TextArraycannot assign all values from UUIDArraycannot convert all values to ByteaArraycannot convert all values to JSONBArraycannot decode node with unknown kind %dcannot encode node with unknown kind %dcannot marshal invalid UTF-8 data as %scertificate-management-policy.authoritychain is not signed by an acceptable CAcipher: incorrect tag size given to GCMcobra_annotation_bash_completion_customcobra_annotation_required_if_others_setcomment length insufficient for parsingconfigured to dial out via SOCKS5 Proxycould not establish any TCP connectionscould not establish any TLS connectionscrypto/rsa: invalid options for Decryptcsv: invalid field or comment delimiterdid not find expected hexdecimal numberdns: TXT record %v missing %v attributedriver.Valuer Value() method failed: %wexpected space in input to match formatextraneous or missing " in quoted-fieldfailed to deserialize request parameterfailed to fetch http entries from storefailed to parse filepath pattern %q: %wfailed to write postgres handshake bytefdw_inconsistent_descriptor_informationfdw_invalid_descriptor_field_identifierfound an incorrect trailing UTF-8 octetgoogle.golang.org/genproto/protobuf/apigoogle.golang.org/protobuf/types/known/heapBitsSetTypeGCProg: small allocationhttp: putIdleConn: keep alives disabledinvalid indexed representation index %dinvalid value: merging into nil messageinvalid_argument_for_nth_value_functionmartini handler must be a callable funcmath/big: buffer too small to fit valuemismatched count during itab table copymismatched message type: got %q want %qmissing argument to repetition operatormissing verb: % at end of format stringmodule.provider.microsoft.client-secretmodule.provider.microsoft.email-domainsmspan.sweep: bad span state after sweepmultipart: can't write to finished partnegative minwidth, tabwidth, or paddingngrok is not yet ready to start tunnelsno mutually supported protocol versionsoauth.provider.facebook.email-addressesout of memory allocating heap arena mappq: only text format supported for COPYprevious message not read to completionprints author and licensing informationproxyproto: can't read version 1 headerreflect.MakeMapWithSize of non-map typeresolver returned an empty address listruntime: blocked write on free polldescruntime: casfrom_Gscanstatus failed gp=runtime: duplicatehandle failed; errno=session closed, starting reconnect loopsigns of seconds and nanos do not matchstack growth not allowed in system callstatic/assets/82b1212e45a2bc35dd73.woffstatic/css/app.6adde
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: ngrok is a command line application, try typing 'ngrok.exe http 80'big: invalid 2nd argument to Int.Jacobi: need odd integer but got %scan not look up shorthand which is more than one ASCII character: %qcannot assign %v, needed to assign %d elements, but only assigned %dconfig contains tab characters, YAML must use spaces for indentationcrypto/hmac: hash generation function does not produce unique valuesembedded IPv4 address must replace the final 2 fields of the addressexpected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vextension %v does not implement protoreflect.ExtensionTypeDescriptorheap profile: (\d+): (\d+) \[ (\d+): (\d+) \] @ fragmentationzhttp2: Transport conn %p received error from processing frame %v: %vhttp2: Transport received unsolicited DATA frame; closing connectionhttp: message cannot contain multiple Content-Length headers; got %qinvalid proto.Message(%T) type, expected a protoreflect.Message typeinvalid retry throttling config: tokenRatio (%v) may not be negativengrok gateway timeout
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: ngrok tcp --remote-addr=1.tcp.ngrok.io:27210 3389The time when this host certificate becomes invalid, in RFC 3339 format. If unspecified, a default value of 24 hours will be used. The OpenSSH certificates RFC calls this valid_before.Only Enterprise plans can use tunnel ACL rules.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Install your authoken: https://dashboard.ngrok.com/get-started/your-authtokenduplicate registration of %q
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenthe list of principals included in the ssh host certificate. This is the list of hostnames and/or IP addresses that are authorized to serve SSH traffic with this certificate. Dangerously, if no principals are specified, this certificate is considered valid for all hosts.Labeled tunnels are only available after you sign up.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenTunnel Credentials are ngrok agent authtokens. They authorize the ngrok
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenUpdates a TCP Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates a TLS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates an HTTPS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Defines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizing the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See (https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)the OpenSSH certificate protocol spec for additional details.Forwarding to a local file:/// URL is only available after you sign up.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenUpdates a TCP Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates a TLS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates an HTTPS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Defines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizing the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See (https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)the OpenSSH certificate protocol spec for additional details.Forwarding to a local file:/// URL is only available after you sign up.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenUpdates an HTTPS Edge Route by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorIf true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.API Keys are used to authenticate to the (https://ngrok.com/docs/api#authentication)ngrok
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenStatusNormalClosureStatusGoingAwayStatusProtocolErrorStatusUnsupportedDatastatusReservedStatusNoStatusRcvdStatusAbnormalClosureStatusInvalidFramePayloadDataStatusPolicyViolationStatusMessageTooBigStatusMandatoryExtensionStatusInternalErrorStatusServiceRestartStatusTryAgainLaterStatusBadGatewayStatusTLSHandshakethe OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Your authtoken is available on your dashboard: https://dashboard.ngrok.com/get-started/your-authtokenCertificate Authorities are x509 certificates that are used to sign other
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: --remote-addr option. ngrok requires that you reserve a TCP tunnel
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: set -l directive (string sub --start 2 $results[-1])
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: github.com/pires/go-proxyproto@v0.6.1/addr_proto.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: google.golang.org/grpc@v1.47.0/internal/balancerload/load.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_common.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_no.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v1.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v2.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: go.ngrok.com/lib/web/manifest/loader.go
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	String found in binary or memory: golang.org/x/sys@v0.0.0-20220722155257-8c9f86f7a55f/windows/svc/eventlog/install.go

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Section loaded: samlib.dll	Jump to behavior

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static file information: File size 19297280 > 1048576

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x7fd400
Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x9d7a00

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3376226974.000001DBC3B47000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2139689030.00000198C2D98000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Process information queried: ProcessInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe VolumeInformation			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	3%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://api.ngrok.comhttps://ngrok.com/tosin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dashboard.ngrok.com/tunnels/ssh-keysa	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://ngrok.com/tos	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://ngrok.com/docs/ngrok-link#service-api-content-typeOnly	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionunable	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dns.google.com/resolve?https://update.equinox.io/checkillegal	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptiontls:	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://github.com/spf13/cobra/issues/1508	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://ngrok.com/docs/errors/err_ngrok_8012	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000E6000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dashboard.ngrok.com/billing/subscriptionThis	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptiona	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionEmpty	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionAn	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/security/ip-restrictionsThe	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/get-started/your-authtokenduplicate	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://status.ngrok.com/	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://ngrok.com/docs/ngrok-link#tls-certificates-key)Private	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://ngrok.com/docs/cloud-edge#compatible-clientsYour	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://ngrok.com/docs/api#authentication)ngrok	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://ngrok.com/docs/api#tls-certificates-pem)Certificate	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/tunnels/ssh-keys	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/api	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionEndpoints	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/get-started/your-authtokenthe	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/get-started/your-authtokenCertificate	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscription-----BEGIN	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscription	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/get-started/your-authtokenUpdates	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionInvalid	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/get-started/your-authtokenStatusNormalClosureStatusGoingAwayStatusProtoc	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionCPU	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionCreates	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://www.ngrok.com	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000000.00000002.3373030981.000000C0000A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, 00000003.00000002.2132016154.000000C0000EA000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dashboard.ngrok.com/api/keys.	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscription0001020304050607080910111213141516171819202122232425	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionID	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionGenerate	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionif	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/get-started/your-authtokenTunnel	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionCreate	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://ngrok.com/docs/a...Abuse	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)the	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionHTTP/1.1	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionSSH	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionOnly	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/api/keys)API	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionIf	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/signup	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionA	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionYou	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://dashboard.ngrok.com/billing/subscriptionYour	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://github.com/spf13/cobra/issues/1279	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false		high
https://api.ngrok.comhttps://ngrok.com/tosin	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1437706
Start date and time:	2024-05-07 20:26:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe
Detection:	SUS
Classification:	sus22.winEXE@6/2@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe, PID 5352 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.453129077883107
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe
File size:	19'297'280 bytes
MD5:	f886615860dbbcd3fe966cf1c79203f9
SHA1:	cdcce183c817b5a291dd2a3d6ef6dca93ce3f01d
SHA256:	5a0ae314a3ccfcd8e2a77585fb96f650574aac0d5dcb48a85f2f4e0be698845f
SHA512:	4f133875662db65313897586d4ab748be5ed386f31ba3ee6d54e7cc4e4da44cf54392bb16f6f1832ba74f4be55ec3aeae5d3632b73bab2a49dbe37ff7d8edcca
SSDEEP:	196608:trwkQhsWhgXuPx0WQywOlNF4Rd9HScIxuJKW:OHOoPmtywnIx8K
TLSH:	92174943F89181E8C4EDD174CA26D656BB703C890B3067D33B60FAB92B76BD46A79350
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........r&.......".................@.........@...............................-...........`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x46b440
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	ff9f3a86709796c17211f9df12aae74d

Entrypoint Preview

Instruction
jmp 00007F6A44E929B0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
dec eax
sub esp, 30h
dec ecx
mov edi, eax
dec eax
mov edx, dword ptr [00000028h]
dec eax
cmp edx, 00000000h
jne 00007F6A44E9669Eh
dec eax
mov eax, 00000000h
jmp 00007F6A44E96715h
dec eax
mov edx, dword ptr [edx+00000000h]
dec eax
cmp edx, 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12af000	0x4b8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12b0000	0x27472	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11d84c0	0x150	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7fd20d	0x7fd400	246feaf8bc585cd54c01429f881f5540	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7ff000	0x9d79c8	0x9d7a00	14a73eb7c259fc79e1776b1888d9514a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x11d7000	0xd7ef0	0x6a200	7e94b061923a5e47d4f1ae2a322b3642	False	0.33458710615429915	data	4.86010103981288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x12af000	0x4b8	0x600	665ad138e3907bd7b248f18ecc2feaf1	False	0.3424479166666667	data	3.880935332975287	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x12b0000	0x27472	0x27600	a76e7172ceb3451b4f2b236efbe9ca02	False	0.16515376984126984	data	5.454523136404931	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x12d8000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetThreadPriority, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, PostQueuedCompletionStatus, LoadLibraryA, LoadLibraryW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetEnvironmentStringsW, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateWaitableTimerA, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler

Target ID:	0
Start time:	20:27:17
Start date:	07/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe"
Imagebase:	0x290000
File size:	19'297'280 bytes
MD5 hash:	F886615860DBBCD3FE966CF1C79203F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	20:27:17
Start date:	07/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	20:27:17
Start date:	07/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe
Imagebase:	0x290000
File size:	19'297'280 bytes
MD5 hash:	F886615860DBBCD3FE966CF1C79203F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:27:19
Start date:	07/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /K
Imagebase:	0x7ff7b2e10000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exePID: 5352, Parent PID: 4004

General

Chronological Activities

Analysis Process: conhost.exePID: 4784, Parent PID: 5352

General

Chronological Activities

Analysis Process: SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exePID: 2784, Parent PID: 5352

General

Chronological Activities

Windows Analysis Report
SecuriteInfo.com.PUA.RiskWare.Frp.3859.2083.exe