Edit tour

Windows Analysis Report
ngrok.exe

Overview

General Information

Sample name:	ngrok.exe
Analysis ID:	1455159
MD5:	73978a303b99aad781516908ef925b00
SHA1:	b9586f6c92eea257bba6f617f61fda3ac2b05b6f
SHA256:	8549c2e539e071091426857781827c9759cfbe71ecb4d9e3e0193969f763a38d
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly

Creates a process in suspended mode (likely to inject code)

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

System is w10x64

ngrok.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\ngrok.exe" MD5: 73978A303B99AAD781516908EF925B00)

conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ngrok.exe (PID: 7432 cmdline: C:\Users\user\Desktop\ngrok.exe MD5: 73978A303B99AAD781516908EF925B00)

cmd.exe (PID: 7576 cmdline: cmd.exe /K MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Sigma Signatures

System Summary

Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /K, CommandLine: cmd.exe /K, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ngrok.exe", ParentImage: C:\Users\user\Desktop\ngrok.exe, ParentProcessId: 7300, ParentProcessName: ngrok.exe, ProcessCommandLine: cmd.exe /K, ProcessId: 7576, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ngrok.exe

ReversingLabs: Detection: 23%

Source: ngrok.exe

Static PE information: certificate valid

Source: ngrok.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ngrok.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ngrok.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ngrok.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ngrok.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ngrok.exe	String found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0
Source: ngrok.exe	String found in binary or memory: http://crl.ngrok-agent.com/ngrok.crlURL
Source: ngrok.exe	String found in binary or memory: http://crl.ngrok.com/ngrok.crl227373675443232059478759765625reflect:
Source: ngrok.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ngrok.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ngrok.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ngrok.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ngrok.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ngrok.exe	String found in binary or memory: http://fsf.org/
Source: ngrok.exe	String found in binary or memory: http://jedwatson.github.io/classnames
Source: ngrok.exe	String found in binary or memory: http://mattn.mit-license.org/2013
Source: ngrok.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: ngrok.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: ngrok.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: ngrok.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: ngrok.exe	String found in binary or memory: http://www.apache.org/licenses/
Source: ngrok.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ngrok.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: ngrok.exe	String found in binary or memory: http://www.eslinstructor.net/vkbeautify/
Source: ngrok.exe	String found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: ngrok.exe	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: ngrok.exe	String found in binary or memory: https://api.ngrok.comunsupported
Source: ngrok.exe	String found in binary or memory: https://dashboard.ngrok.com/api.
Source: ngrok.exe	String found in binary or memory: https://dashboard.ngrok.com/api/keys)
Source: ngrok.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscription
Source: ngrok.exe	String found in binary or memory: https://dns.google.com/resolve?/tunnel_sessions/
Source: ngrok.exe	String found in binary or memory: https://getbootstrap.com/)
Source: ngrok.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: ngrok.exe	String found in binary or memory: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css
Source: ngrok.exe	String found in binary or memory: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)
Source: ngrok.exe	String found in binary or memory: https://github.com/spf13/cobra/issues/1279
Source: ngrok.exe	String found in binary or memory: https://github.com/spf13/cobra/issues/1508
Source: ngrok.exe	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: ngrok.exe	String found in binary or memory: https://instrumentation-telemetry-intake.datadoghq.com/api/v2/apmtelemetryAddAttrs
Source: ngrok.exe	String found in binary or memory: https://ngrok....Certificate
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/docs/api#authentication).
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/docs/cloud-edge/endpoints#certificate-chains).Integer
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/docs/cloud-edge/endpoints#private-keys).A
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/docs/cloud-edge/modules/webhook-verification
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/docs/cloud-edge/modules/webhook-verification)the
Source: ngrok.exe, 00000002.00000002.1903640154.000000C000250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ngrok.com/docs/errors/err_ngrok_8012
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/tos
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/tosAuto
Source: ngrok.exe	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: ngrok.exe	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-K3RD62G
Source: ngrok.exe, 00000000.00000002.3142179693.000000C0004C0000.00000004.00001000.00020000.00000000.sdmp, ngrok.exe, 00000002.00000002.1903640154.000000C000250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ngrok.com

Source: ngrok.exe

Binary string: bindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard TimeMontevideo Standard TimeMagallanes Standard TimePacific SA Standard TimeAzerbaijan Standard TimeBangladesh Standard TimeNorth Asia Standard TimeCape Verde Standard Timeexpected float; found %sGot update major commandunknown region '%s' - %sCheck for update failed:timed out while updating/inspect/http/.+/requestapplication/octet-stream2006-01-02T15:04:05-0700log15: unknown level: %vMon Jan _2 15:04:05 2006text/html; charset=utf-8unexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sstream %d already openedConnContext returned nilRequest Entity Too Largehttp: nil Request.Headerhttps-edge-route-backendmodule.authorized-groupsresponse-headers.enabledoauth.inactivity-timeoutsaml.options-passthroughsaml.allow-idp-initiatedoidc.options-passthroughDelete an IP restrictionDelete a TLS certificatetls-edge-tls-terminationexec: Stdout already setexec: Stderr already setBuffer called after Scanerror decrypting messagecertificate unobtainableTLS_RSA_WITH_RC4_128_SHAjson: unsupported type: buffer closed previouslyTunnelV2IPRestrictedCodeAuthInvalidUserAgentCodeAPIInvalidCredentialCodeAPIInvalidTLSVersionCodeAPIInvalidIPPolicyIDCodeAPIInvalidEventFieldCodeBindUnsupportedProtoCodeBindIPPolicyNotExistCodeBindDomainUnderscoreCodeCredsDescrCharsLimitCodeSSHTunnelBadProtocolCodeSSHTunnelPortInvalidCodeIPPolicyRuleNotFoundCodeIPPolicyMissingParamCodeMwRuntimeExplicitBanCodeAccountNotAuthorizedCodeMapNonexistentServerCodeHTMLDisallowedRegionCodeBannedAddrIDNotFoundCodeBackendWeightedLimitCodeBackendFailoverLimitCodeEdgeDeleteStillInUseCodeEdgeHeaderKeyInvalidCodeEdgeHeaderValInvalidCodeEdgeValidationErrorsCodeEdgeHostportNotFoundCodeEdgeInvalidPortRangeCodeEdgeRouteNoMatchExprCodeEdgeInvalidMatchTypeCodeEdgeOIDCScopeTooLongCodeDashClientInvalidARNCodeCorpClientInvalidARNCodeMFADeviceTypeInvalidCode [%d/%d from method '%s'failed to write response/abuse_reports/{{ .ID }}/certificate_authoritiesWaitToKillServiceTimeoutAllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWSetConsoleCursorPositionSetDefaultDllDirectoriesNtQuerySystemInformationSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceGetWindowThreadProcessIdduplicate %TAG directiveread handler must be setexceeded max depth of %dwhile scanning an anchorSet application protocolx509: malformed validityaddress string too shortsuccessful verify of CRLskipping out of date CRL\Device\NamedPipe\cygwin

Source: classification engine

Classification label: mal52.winEXE@6/2@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03

Source: C:\Users\user\Desktop\ngrok.exe	File opened: C:\Windows\system32\3b4abca02bd1b4a2ef6ade2fba80f2dcdde174a4f2b5cde5b6f46c332783a3b0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	File opened: C:\Windows\system32\eab31c427d5a24efa87bc78fc736abbe500fbbb53ba98d60e075ffa56630bd67AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA			Jump to behavior

Source: ngrok.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ngrok.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ngrok.exe

ReversingLabs: Detection: 23%

Source: ngrok.exe	String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine terminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dll%!Weekday(short read --%sint32Sliceint64Slice<no value>value for arg %d: %wChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtraForwardingconnectingerror.htmldisconnecttunnelNameUser-Agent/static/.+vendor.css.localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = ConnectionKeep-Alivelocal-addrimage/webpimage/jpegaudio/aiffaudio/mpegaudio/midiaudio/wavevideo/webmfont/woff2RST_STREAMEND_STREAMSet-Cookiebytes */%d stream=%dset-cookieuser-agentkeep-alive:authorityconnectionequivalentHost: %s
Source: ngrok.exe	String found in binary or memory: assets/tls/Interactivesechost.dllversion.dllGetFileTimeSetCommMaskVirtualFreeCoGetObjectEnumWindowsMessageBoxWmapping endyYnNtTfFoO~!!timestamphost-headercompressionoauth-scopepolicy-fileremote-addrnext_updategocachehashgocachetestarchive/tarcrypto/x509archive/zipInstCaptureInstRuneAny[:^xdigit:]parse errorexpected :=empty fieldSystemDriveProgramDatamin_versiongot requestcannot copyCERTIFICATEcontextmenucrossoriginformenctypeplaceholder_eval_args_\x3C/scriptdevelopmentMARTINI_ENVgrpc-statuspassthroughgrpc.Server"CANCELLED""NOT_FOUND""DATA_LOSS"UnavailableUNAVAILABLEpb.db_codec> in space ReportFaultuser_facingerror.stackhttp.methodhttp.flavorClassHESIODauthoritiesadditionalsIn-Reply-ToReturn-Pathhttps_proxyBernoullis;CirclePlus;EqualTilde;Fouriertrf;ImaginaryI;Laplacetrf;LeftVector;Lleftarrow;NotElement;NotGreater;Proportion;RightArrow;RightFloor;Rightarrow;TildeEqual;TildeTilde;UnderBrace;UpArrowBar;UpTeeArrow;circledast;complement;curlywedge;eqslantgtr;gtreqqless;lessapprox;lesseqqgtr;lmoustache;longmapsto;mapstodown;mapstoleft;nLeftarrow;nleftarrow;precapprox;rightarrow;rmoustache;sqsubseteq;sqsupseteq;subsetneqq;succapprox;supsetneqq;upuparrows;varepsilon;varnothing;ThickSpace;nsubseteqq;nsupseteqq;allocationsinuse_spacealloc_spacecontentions0x[0-9a-f]+do_memaligntc_memaligntc_newarrayruntime\..*_M_allocatenanoseconds# Sys = %d
Source: ngrok.exe	String found in binary or memory: ; EXPIRE: ;; opcode: AUTHORITY: Fixed32KindFixed64KindMessageKindnested_typeoneof_indexallow_aliasoutput_typejson_formatdeclarationStatusCode(NOT_SERVINGChannel #%d{Addr: %q, Closing: %vGrpc-Statusround_robinnot allowedlast minuteDECLARATION"-Infinity"timestamptzsslrootcert READ WRITEpostgres://15:04:05-07.postgresqltransactionmutex.pprofblock.pprofMachineGuidProductNamehttp.schemehttp.targetnet.host.ipnet.peer.ipavx512vnniwavx512vbmi2_INT2VECTORTIMESTAMPTZPG_DATABASEREGOPERATORANYNONARRAYFDW_HANDLERTSM_HANDLERCGO_ENABLED (SQLSTATE pprof::baseapp-startedapp-closingBackupWriteFieldRangesFileImportsCardinalityHasJSONNameHasPresenceIsExtensionfallthrough^([^:]+)://api.pricingautoscalingcloudsearchcognito-idpdevops-guruelasticacheiotsitewiseiotwirelessivsrealtimeopsworks-cmpersonalizerekognitionruntime.lexs3-outpostssecurityhubvoice-chimevpc-latticeUS ISO EastUS ISO WEST<sensitive>Content-Md5,omitempty,<panic: %s>exit status can't happen_ACTIVE_HELPthis commandversion for Subcommand 'write-reportgoogle_httpsResolver: %sHostname: %sConnectivity%s [command]usageExamplecommand_lineSet '%s: %s'socks5_proxysocks5-proxyterminate-athttp://%s:80api_base_url152587890625762939453125short buffer has no name has no typereflect.CopyOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFileExVirtualQueryadvapi32.dlliphlpapi.dllkernel32.dllnetapi32.dllsweepWaiterstraceStringsspanSetSpinemspanSpecialgcBitsArenasmheapSpecialgcpacertracemadvdontneedharddecommitdumping heapchan receivelfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (
Source: ngrok.exe	String found in binary or memory: [0m=%s.in-addr.arpa.unknown mode: Content-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMbytes %d-%d/%dERR_UNKNOWN_%daccept-charsetcontent-lengthfirst_settingsping_on_streamtrailers_bogusread_frame_eof{$} not at endempty wildcardinvalid methodparsing %q: %wunknown error unknown code: Not Acceptablemodule.enabledoidc.client-idreserved-addrscertificate-idelliptic-curvestatic-address
Source: ngrok.exe	String found in binary or memory: Operation ID: %sNgrok-Operation-Id/backends/failover/backends/weighted/tunnels/{{ .ID }}assets/BUILD.bazelassets/credits.txtassets/static/css/CM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSubAuthorityMakeSelfRelativeSDCertGetNameStringWCryptUnprotectDataPFXImportCertStoreGetBestInterfaceExClosePseudoConsoleEscapeCommFunctionGetCommModemStatusGetCurrentThreadIdGetModuleHandleExWGetVolumePathNameWRemoveDllDirectoryTerminateJobObjectWriteProcessMemoryEnumProcessModulesGetModuleBaseNameWtag:yaml.org,2002:oauth-allow-domainoidc app client idoidc-client-secretrequest-header-addunable to parse IPnetip.ParsePrefix(error fetching CRLcannot be negativeflag %q contains =flag redefined: %sless than a minuteGetConsoleOutputCPapp://%s/%s?pid=%dtext/javascript1.0text/javascript1.1text/javascript1.2text/javascript1.3text/javascript1.4text/javascript1.5half join completeSubchannel createdSubchannel deletedunknown service %vServer.Stop called"INVALID_ARGUMENT"FailedPreconditionRESOURCE_EXHAUSTEDpb.gen_with_suffixexpected element <invalid XML name: Proxy-AuthenticateRCodeServerFailuredecoding error: %vDoubleUpDownArrow;DoubleVerticalBar;DownLeftTeeVector;DownLeftVectorBar;FilledSmallSquare;GreaterSlantEqual;LeftDoubleBracket;LeftDownTeeVector;LeftDownVectorBar;LeftTriangleEqual;NegativeThinSpace;NotReverseElement;NotTildeFullEqual;RightAngleBracket;RightUpDownVector;SquareSubsetEqual;VerticalSeparator;blacktriangledown;blacktriangleleft;leftrightharpoons;rightleftharpoons;twoheadrightarrow;NotGreaterGreater;NotLessSlantEqual;NotNestedLessLess;NotSquareSuperset;malloc_zone_mallocmalloc_zone_callocmalloc_zone_valloc(Mutex::)?Unlock.*# TotalAlloc = %d
Source: ngrok.exe	String found in binary or memory: /api_keys/{{ .ID }}/event_destinationsFailed to %s %v: %vQueryServiceConfigWCreatePseudoConsoleDisconnectNamedPipeGetDiskFreeSpaceExWGetLargePageMinimumGetOverlappedResultGetSystemDirectoryWResizePseudoConsoleRtlAddFunctionTableGetForegroundWindowGetFileVersionInfoWWSALookupServiceEndwhile parsing a taginvalid URL escape missing ']' in hostoauth-client-secretresponse-header-addx509: malformed OIDx509: trailing datax509: unknown error too large for IPv4 too large for IPv6file already existsfile does not existfile already closedmultipartmaxheadersunclosed left parenunknown branch typetemplate: %s:%d: %sunexpected %s in %sRUNEWIDTH_EASTASIANWriteConsoleOutputWXDG_PUBLICSHARE_DIRcannot reset bufferNo update availableBad hex digit in %qno such template %qapplication/ld+jsonBasic realm="ngrok"Prerelease is emptyrequest body closed[pick-first-lb %p] RegisterService(%q)"DEADLINE_EXCEEDED""PERMISSION_DENIED"FAILED_PRECONDITIONpb/extensions.protopb.cli_pretty_printzero length segmentRCodeNotImplementedmime: no media typebinary.LittleEndianevictCount overflowDownRightTeeVector;DownRightVectorBar;LongLeftRightArrow;Longleftrightarrow;NegativeThickSpace;PrecedesSlantEqual;ReverseEquilibrium;RightDoubleBracket;RightDownTeeVector;RightDownVectorBar;RightTriangleEqual;SquareIntersection;SucceedsSlantEqual;blacktriangleright;longleftrightarrow;NotLeftTriangleBar;--- Memory map: ------ threadz \d+ ---(__)?posix_memaligntc_newarray_nothrowmalloc_zone_reallocDoSampledAllocationoperator new(\[\])?runtime\.call[0-9]*#%#x%s+%#x%s:%d
Source: ngrok.exe	String found in binary or memory: unknown address type command not supportedPrecondition RequiredInternal Server ErrorCreate a new bot userdelete <edge-id> <id>module.rolling-windowhttps-edge-route-oidchttps-edge-route-samlsaml.maximum-durationoidc.maximum-durationsaml.idp-metadata-urlupdate <edge-id> <id>target.datadog.ddtagstarget.datadog.ddsitestatus code to returnhttps-edge-mutual-tlsssh-host-certificatesssh-user-certificatesexec: already startedbufio: negative countdecompression failureunsupported extensionafter top-level valuein string escape codeflow control violatedAuthImproperTokenCodeAPIInvalidVersionCodeAPIMissingVersionCodeBindAnonSubdomainCodeBindWildcardMatchCodeBindHostportInUseCodeBindDomainTooLongCodeReservedAddrLimitCodeMuxBadHTTPRequestCodeMuxRequestTimeoutCodeBillingEmailLimitCodeDashNoGoogleLoginCodeDashSignupBlockedCodeCertsDNS01NSCountCodeAccountsNameEmptyCodeUsersEmailInvalidCodeAbuseTCPIPUnknownCodeEvsubInvalidFieldCodeBackendNotAllowedCodeEdgeLimitExceededCodeEdgeAuthExclusionCodeAgentIPV6DisabledCodeMFADeviceNotFoundCodefailed to deserializeInvalid log level: %wCM_Get_DevNode_StatusChangeServiceConfig2WDeregisterEventSourceEnumServicesStatusExWGetNamedSecurityInfoWSetNamedSecurityInfoWDwmGetWindowAttributeDwmSetWindowAttributeGetVolumeInformationWNtCreateNamedPipeFileSetupDiEnumDeviceInfoSetupUninstallOEMInfWWSALookupServiceNextWWTSEnumerateSessionsWinvalid emitter stateexpected STREAM-STARTexpected DOCUMENT-ENDcannot marshal type: write handler not setverify-webhook-secretrequest-header-removeinvalid NumericStringx509: invalid versionIPv4 address too longunexpected slice sizeerror parsing CRL URLfailed to verify CRL:CRL out of date at %sinvalid named captureflag %q begins with -record on line %d: %vbad number syntax: %qundefined variable %qGetCurrentConsoleFontno more state changesinvalid tunnel configat range loop break: listening on %s (%s)
Source: ngrok.exe	String found in binary or memory: Run '%v --help' for usage.
Source: ngrok.exe	String found in binary or memory: Run '%v --help' for usage.
Source: ngrok.exe	String found in binary or memory: unsafe.String: len out of rangecannot assign requested address.lib section in a.out corruptedmalformed time zone informationW. Central Africa Standard TimeCentral Brazilian Standard TimeMountain Standard Time (Mexico)time: missing unit in duration mergeRuneSets odd length []runemissing argument for comparisonrange over send-only channel %vvalue has type %s; should be %ssotypeToNet unknown socket typemultipart/byteranges; boundary=http2: connection error: %v: %vframe_headers_prio_weight_shortPRIORITY frame with stream ID 0too many authentication methodsRequested Range Not SatisfiableRequest Header Fields Too LargeNetwork Authentication Requiredtoo many transfer encodings: %qnet/http: TLS handshake timeoutattachment; filename="%s-delta"https-edge-route-ip-restrictionmodule.provider.facebook.scopesmodule.provider.linkedin.scopesoauth.provider.github.client-idoauth.provider.microsoft.scopesoauth.provider.google.client-idoauth.provider.gitlab.client-idoauth.provider.twitch.client-idoauth.provider.amazon.client-idwebsocket-tcp-converter.enabledbody to return as fixed contenthostname of the reserved domaintls: no certificates configuredbad certificate status responsetls: unsupported public key: %TTLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384failed to parse certificate: %wTLS: sequence number wraparoundCLIENT_HANDSHAKE_TRAFFIC_SECRETSERVER_HANDSHAKE_TRAFFIC_SECRETtls: failed to sign handshake: json: invalid number literal %qin literal true (expecting 'r')in literal true (expecting 'u')in literal true (expecting 'e')in literal null (expecting 'u')in literal null (expecting 'l')expected colon after object key looking for beginning of valuefailed to pack WNDINC frame: %vAPIRequestRateLimitExceededCodeBindDomainBadPunycodePrefixCodeBindConfigDisallowsIPPolicyCodeBindTunnelRateLimitExceededCodeBindACLForbidsRandomAddressCodeBindLabeledTunnelNotAllowedCodeBindAgentDuplicateAddHeaderCodeReservedDomainInvalidRegionCodeReservedDomainInvalidPrefixCodeReservedDomainInvalidSuffixCodeReservedDomainWildcardLimitCodeReservedDomainCNAMENotFoundCodeReservedAddrDescrCharsLimitCodeReservedCustomExistingCNAMECodeTunnelV2RestartNotSupportedCodeBillingAddressInvalidLengthCodeBillingEmailDeleteProtectedCodeBillingLicenseLimitExceededCodeSSHTunnelPublicKeysNotFoundCodeSSHTunnelNoMultipleForwardsCodeSSHTunnelPortForwardTimeoutCodeSSHTunnelUpdateNotSupportedCodeDashUserBelongsToNoAccountsCodeCertsSSHCAPublicKeyRequiredCodeCertsSSHCARateLimitExceededCodeMwCompileHandlerTypeInvalidCodeMwCompileBackendAddrInvalidCodeMwCompileIPFilterNoIPPolicyCodeMwCompileHTTPMuxPathTooLongCodeMwCompileAppProtocolInvalidCodeMwPolicyIPTreeFailedToBuildCodeMwRuntimeHTTPBackendTimeoutCodeMwRuntimeNoBackendAvailableCodeUsersDeleteBannedDisallowedCodeUserSelfServeSignupDisabledCodeUserAccountCreationDisabledCodeFeatureRequestLengthInvalidCodeEventDestinationMissingAuthCodeEventDestinationTooMuchAuthCodeEventSubscriptionNotAllowedCodeEventSourceFilterNotAllo
Source: ngrok.exe	String found in binary or memory: unsafe.String: len out of rangecannot assign requested address.lib section in a.out corruptedmalformed time zone informationW. Central Africa Standard TimeCentral Brazilian Standard TimeMountain Standard Time (Mexico)time: missing unit in duration mergeRuneSets odd length []runemissing argument for comparisonrange over send-only channel %vvalue has type %s; should be %ssotypeToNet unknown socket typemultipart/byteranges; boundary=http2: connection error: %v: %vframe_headers_prio_weight_shortPRIORITY frame with stream ID 0too many authentication methodsRequested Range Not SatisfiableRequest Header Fields Too LargeNetwork Authentication Requiredtoo many transfer encodings: %qnet/http: TLS handshake timeoutattachment; filename="%s-delta"https-edge-route-ip-restrictionmodule.provider.facebook.scopesmodule.provider.linkedin.scopesoauth.provider.github.client-idoauth.provider.microsoft.scopesoauth.provider.google.client-idoauth.provider.gitlab.client-idoauth.provider.twitch.client-idoauth.provider.amazon.client-idwebsocket-tcp-converter.enabledbody to return as fixed contenthostname of the reserved domaintls: no certificates configuredbad certificate status responsetls: unsupported public key: %TTLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384failed to parse certificate: %wTLS: sequence number wraparoundCLIENT_HANDSHAKE_TRAFFIC_SECRETSERVER_HANDSHAKE_TRAFFIC_SECRETtls: failed to sign handshake: json: invalid number literal %qin literal true (expecting 'r')in literal true (expecting 'u')in literal true (expecting 'e')in literal null (expecting 'u')in literal null (expecting 'l')expected colon after object key looking for beginning of valuefailed to pack WNDINC frame: %vAPIRequestRateLimitExceededCodeBindDomainBadPunycodePrefixCodeBindConfigDisallowsIPPolicyCodeBindTunnelRateLimitExceededCodeBindACLForbidsRandomAddressCodeBindLabeledTunnelNotAllowedCodeBindAgentDuplicateAddHeaderCodeReservedDomainInvalidRegionCodeReservedDomainInvalidPrefixCodeReservedDomainInvalidSuffixCodeReservedDomainWildcardLimitCodeReservedDomainCNAMENotFoundCodeReservedAddrDescrCharsLimitCodeReservedCustomExistingCNAMECodeTunnelV2RestartNotSupportedCodeBillingAddressInvalidLengthCodeBillingEmailDeleteProtectedCodeBillingLicenseLimitExceededCodeSSHTunnelPublicKeysNotFoundCodeSSHTunnelNoMultipleForwardsCodeSSHTunnelPortForwardTimeoutCodeSSHTunnelUpdateNotSupportedCodeDashUserBelongsToNoAccountsCodeCertsSSHCAPublicKeyRequiredCodeCertsSSHCARateLimitExceededCodeMwCompileHandlerTypeInvalidCodeMwCompileBackendAddrInvalidCodeMwCompileIPFilterNoIPPolicyCodeMwCompileHTTPMuxPathTooLongCodeMwCompileAppProtocolInvalidCodeMwPolicyIPTreeFailedToBuildCodeMwRuntimeHTTPBackendTimeoutCodeMwRuntimeNoBackendAvailableCodeUsersDeleteBannedDisallowedCodeUserSelfServeSignupDisabledCodeUserAccountCreationDisabledCodeFeatureRequestLengthInvalidCodeEventDestinationMissingAuthCodeEventDestinationTooMuchAuthCodeEventSubscriptionNotAllowedCodeEventSourceFilterNotAllo
Source: ngrok.exe	String found in binary or memory: Invalid URL for json_resolver_url142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length sync: RUnlock of unlocked RWMutexskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangetoo many levels of symbolic linksInitializeProcThreadAttributeListwaiting for unsupported file typebytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whenceflag accessed but not defined: %sunknown shorthand flag: %q in -%sflag needs an argument: %q in -%s%s must be formatted as key=valueincompatible types for comparisoncannot index slice/array with nilFailed to initialize terminal: %wForwarding was restarted due to: disabled updater should never runchecking for updates periodicallyUpdate to version %s successful!
Source: ngrok.exe	String found in binary or memory: Invalid URL for json_resolver_url142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length sync: RUnlock of unlocked RWMutexskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangetoo many levels of symbolic linksInitializeProcThreadAttributeListwaiting for unsupported file typebytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whenceflag accessed but not defined: %sunknown shorthand flag: %q in -%sflag needs an argument: %q in -%s%s must be formatted as key=valueincompatible types for comparisoncannot index slice/array with nilFailed to initialize terminal: %wForwarding was restarted due to: disabled updater should never runchecking for updates periodicallyUpdate to version %s successful!
Source: ngrok.exe	String found in binary or memory: save authtoken to configuration fileWrapper limit cannot be less than 1.Error creating directory for report:TCP tunnel %s cannot inspect trafficTLS tunnel %s cannot inspect traffichttp://crl.ngrok-agent.com/ngrok.crlURL scheme must be 'http' or 'https'Invalid IP in dns_resolver_ips: '%s'444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignreflect.Value.Equal: values of type lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: ngrok.exe	String found in binary or memory: save authtoken to configuration fileWrapper limit cannot be less than 1.Error creating directory for report:TCP tunnel %s cannot inspect trafficTLS tunnel %s cannot inspect traffichttp://crl.ngrok-agent.com/ngrok.crlURL scheme must be 'http' or 'https'Invalid IP in dns_resolver_ips: '%s'444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignreflect.Value.Equal: values of type lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: ngrok.exe	String found in binary or memory: runtime: bad notifyList size - sync=accessed data from freed user arena runtime: wrong goroutine in newstackruntime: invalid pc-encoded table f=accessing a corrupted shared libraryTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionexceeded maximum template depth (%v)%s is not a method but has argumentswrong number of args: got %d want %dinternal error: associate not commonconnect.us-cal-1.ngrok-agent.com:443connect.eu-lon-1.ngrok-agent.com:443can't apply '%T' to %s configurationauto update is enabled, apply updatehttp: no Location header in responsehttp: unexpected EOF reading trailerhttp: invalid byte %q in Cookie.Path LastStreamID=%v ErrCode=%v Debug=%qhttp2: server rejecting conn: %v, %sHeader called after Handler finishedRoundTrip retrying after failure: %vJanFebMarAprMayJunJulAugSepOctNovDecno acceptable authentication methodsGet the details of an API key by ID.Delete an application session by ID.Get the details of a Bot User by ID.raw PEM of the Certificate Authoritymodule.provider.github.client-secretmodule.provider.github.email-domainsmodule.provider.github.organizationsmodule.provider.google.client-secretmodule.provider.google.email-domainsmodule.provider.gitlab.client-secretmodule.provider.gitlab.email-domainsmodule.provider.twitch.client-secretmodule.provider.twitch.email-domainsmodule.provider.amazon.client-secretmodule.provider.amazon.email-domainsmutual-tls.certificate-authority-idsThe ID portion of an AWS access key.target.cloudwatch-logs.log-group-arnService name to send with the event.List all IP policies on this accountexpected an ECDSA public key, got %TTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAtls: keys must have at least one keyunsupported SSLv2 handshake receivedtls: server did not send a key sharejson: encoding error for type %q: %qAPIInvalidCertificateAuthorityIDCodeAPIInvalidEventDestinationFormatCodeAPIInvalidEventDestinationTargetCodeBindAgentRequestHeaderAddInvalidCodeBindAgentHeaderKeyLengthExceededCodeBindAgentHeaderValLengthExceededCodeBindLabeledTunnelACLNotSupportedCodeReservedDomainNonLeadingWildcardCodeReservedDomainGaugeLimitExceededCodeReservedDomainNameDomainConflictCodeReservedAddressRateLimitExceededCodeMuxHTTPRequestsRateLimitExceededCodeBillingEmailAddressInvalidLengthCodeBillingAddressGaugeLimitExceededCodeEndpointConfigurationTypeInvalidCodeCertsInvalidDomainAlreadyManagedCodeCertsSSHUnsupportedPublicKeyTypeCodeCertsSSHUserCertNegativeDurationCodeCertsSSHHostCertNegativeDurationCodeMwCompileOAuthInvalidEmailDomainCodeMwPolicyInvalidActionConfigValueCodeMwPolicyHeaderValueLengthInvalidCodeMwPolicyCompressInvalidAlgorithmCodeMwPolicyInvalidIPPolicyReferenceCodeMwPolicyFieldNotUserConfigurableCodeMwRuntimeOAuthUserActionRequiredCodeEventDestinationDatadogAuthErrorCodeFederatedIdPOIDCPointcfgNotFoundCodeBackendMisma
Source: ngrok.exe	String found in binary or memory: http: putIdleConn: keep alives disabledinvalid HTTP header value for header %qusername/password authentication failedcertificate-management-policy.authorityList all API keys owned by this accountmodule.provider.microsoft.client-secretmodule.provider.microsoft.email-domainsoauth.provider.facebook.email-addressesoauth.provider.linkedin.email-addressesUpdate attributes of an IP policy by IDexec: environment variable contains NULtls: unsupported certificate curve (%s)TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256tls: internal error: wrong nonce lengthno mutually supported protocol versionschain is not signed by an acceptable CACredsCredentialMembershipIsInactiveCodeCredsCannotDeleteDefaultTunnelTokenCodeMuxIncomingTrafficRateLimitExceededCodeMuxOutgoingTrafficRateLimitExceededCodeMuxConnectionsPerMonthLimitExceededCodeSSHTunnelHostnameSubdomainExclusiveCodeEndpointConfigurationInvalidRequestCodeEndpointConfigurationOAuthEmptyTeamCodeEndpointConfigurationCADoesNotExistCodeEndpointConfigurationDescCharsLimitCodeEndpointConfigurationMetaCharsLimitCodeEndpointConfigurationMutualTLSNotCACodeCertsCertificateInsteadOfPrivateKeyCodeCertsPrivateKeyInsteadOfCertificateCodeCertsSSHCAEllipticCurveNotSupportedCodeMwCompileTLSInvalidHandshakeTimeoutCodeMwCompileUserSessionInvalidSameSiteCodeMwRuntimeOAuthUserResourceForbiddenCodeMwRuntimeJWTValidationPrefixMissingCodeEmailConfirmationsResendRateLimitedCodeEventDestinationInvalidARNPartitionCodeFederatedIdPOIDCTokenExchangeFailedCodeFederatedIdPOIDCConfigurationAbsentCodeFederatedIdPOAuthInvalidEmailDomainCodeBackendHTTPResponseHeaderKeyInvalidCodeMembershipsSetPermissionsDisallowedCodeMembershipsSetActiveDisallowedAdminCodeEdgeInvalidCircuitBreakerNumBucketsCodeEdgeOAuthInvalidPunycodeEmailDomainCodeEdgeSessionInactivityTimeoutTooHighCodeEdgeAccountNotAuthorizedCompressionCodeEdgeJWTValidationHttpTokenDuplicateCodesession closed, starting reconnect loop/reserved_domains/{{ .ID }}/certificateassets/local/tls/trusted.root.local.crtassets/local/tls/trusted.root.stage.crtRtlDosPathNameToNtPathName_U_WithStatuscannot decode node with unknown kind %dunknown problem generating YAML contentcannot marshal invalid UTF-8 data as %scannot encode node with unknown kind %dfound an incorrect trailing UTF-8 octetdid not find expected hexdecimal numberx509: invalid subject alternative namesx509: invalid NameConstraints extensionx509: failed to parse URI constraint %qx509: unknown EC private key version %d because it doesn't contain any IP SANsx509: signing with MD5 is not supportedIPv4 field must have at least one digitmissing argument to repetition operatortrailing backslash at end of expressionextraneous or missing " in quoted-fieldcsv: invalid field or comment delimiterproxyproto: can't read version 1 headermartini handler must be a callable funcfailed to deserialize request parameterUnable to upgrade websocket request: %vCreating new client transport to %q:
Source: ngrok.exe	String found in binary or memory: Specified region is not in the known seterrors: target must be a non-nil pointer13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 called with negative precreflect: FieldByName of non-struct type reflect.Value.Call: call of nil functionreflect.Value.Call: wrong argument countattempted to copy pointer to FP registerMapIter.Key called on exhausted iteratorreflect.Value.SetBytes of non-byte slicereflect.Value.setRunes of non-rune sliceinvalid span in heapArena for user arenaruntime: typeBitsBulkBarrier with type bulkBarrierPreWrite: unaligned argumentsrefill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsaddress family not supported by protocoltime: Stop called on uninitialized Timertimeout while trying to apply the updateTunnel declaration must contain a 'name'Policy is one of: 'always', 'only_minor'http2: timeout awaiting response headersFrame accessor called on non-owned Frameinternal error: expecting non-nil streamrequest header %q is not valid in HTTP/2http2: Transport encoding header %q = %qprotocol error: headers after END_STREAMwriteData(stream=%d, p=%d, endStream=%v)host contains '{' (missing initial '/'?)bad wildcard segment (must end with '}')backend to be used to back this endpointmodule.provider.facebook.email-addressesmodule.provider.linkedin.email-addresseshttps-edge-route-websocket-tcp-converteroauth.provider.microsoft.email-addressesList all active endpoints on the accountThe secret portion of an AWS access key.List this Account's Event Subscriptions.List all IP policy rules on this accountList all IP restrictions on this accountList all ssh credentials on this accountList all static backends on this accountclient doesn't support certificate curveoversized record received with length %dtls: received empty certificates messagetls: client didn't provide a certificateBindTunnelAnonymousRateLimitExceededCodeReservedDomainChallengeCNAMENotFoundCodeReservedDomainRegionChangeNotAllowedCodeReservedAddrInvalidConfigurationTypeCodeMuxHTTPRequestsPerMonthLimitExceededCodeTunnelV2OperationCommunicationFailedCodeMaintenanceSomeOperationsUnavailableCodeEndpointConfigurationOAuthEmptyGroupCodeIPRestrictionAccountNotAuthorizedAPICodeMwCompileBasicAuthRealmLengthInvalidCodeMwCompileHTTPHeaderNameLengthInvalidCodeMwCompileUserAgentFilterInvalidRegexCodeMwRuntimeOAuthUserMissingPermissionsCodeMwRuntimeOAuthProviderAPIUnavailableCodeMwRuntimeFederatedAuthCookieNotFoundCodeMwRuntimeJWTValidationTokenMalformedCodeMwRuntimeJWTValidationJWKSFetchErrorCodeAccountsTrafficFullCaptureDisallowedCodeInvitationsAdminPermissionDisallowedCode
Source: ngrok.exe	String found in binary or memory: Use: stop <id>tls: internal error: sending non-handshake message to QUIC transportEndpointConfigurationCircuitBreakerThresholdPercentageOutOfRangeCodeexpected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vembedded IPv4 address must replace the final 2 fields of the addressinvalid retry throttling config: tokenRatio (%v) may not be negativeheap profile: (\d+): (\d+) \[ (\d+): (\d+) \] @ fragmentationz2695994666715063979466701508701963067355791626002630814351006629888126959946667150639794667015087019625940457807714424391721682722368061crypto/hmac: hash generation function does not produce unique valuesinvalid proto.Message(%T) type, expected a protoreflect.Message typebig: invalid 2nd argument to Int.Jacobi: need odd integer but got %sexpected a JSON struct with one entry; received entry %v at index %dChannelz: socket options are not supported on non-linux environmentscannot assign %v, needed to assign %d elements, but only assigned %dpq: Could not detect default username. Please provide one explicitlyinvalid descriptor: using edition features in a proto with syntax %sextension %v does not implement protoreflect.ExtensionTypeDescriptorYou must specify -config with the path to an ngrok configuration fileYou may not specify both 'region' and 'server_addr' at the same time.Connect timeout must be a positive time duration, e.g. '10s', '500ms'reflect: embedded interface with unexported method(s) not implementedhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)%s matches more methods than %s, but has a more specific path pattern%s matches fewer methods than %s, but has a more general path patternarbitrary user-defined data of this API key. optional, max 4096 bytesAdd an additional type for which this event subscription will triggertls: peer doesn't support the certificate custom signature algorithmstls: handshake message of length %d bytes exceeds maximum of %d bytestls: client certificate contains an unsupported public key of type %Ttoo many hex fields to fit an embedded IPv4 at the end of the addressNetPrefix IP had a length of %d where a length of 4 or 16 is requiredparam: error parsing key %q: unknown field %q on struct %q of type %vedwards25519: internal error: setShortBytes called with a long stringheap profile: (\d+): (\d+) \[ (\d+): (\d+) \] @ fragmentationz?path to TLS certificate authority to verify client certs in mutual tlsFile tunnel %s encountered an error validating directory path '%s': %vsync/atomic: compare and swap of inconsistently typed value into Valuebytes.Buffer: UnreadByte: previous operation was not a successful readinexhaustive case match in server command handler: unknown command %+vgot %s for stream %d; expected CONTINUATION following %s for stream %dAbuse Reports allow you to submit take-down requests for URLs hoste...invalid number of arguments: got %d, need at least %d
Source: ngrok.exe	String found in binary or memory: ngrok tcp --remote-addr=1.tcp.ngrok.io:27210 3389The time when this host certificate becomes invalid, in RFC 3339 format. If unspecified, a default value of 24 hours will be used. The OpenSSH certificates RFC calls this valid_before.
Source: ngrok.exe	String found in binary or memory: The add-server-addr command modifies your configuration file to include
Source: ngrok.exe	String found in binary or memory: the next backend in the list until one is successful.Updates a TCP Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates a TLS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates an HTTPS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Defines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizing the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See the OpenSSH certificate protocol spec (https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys) for additional details.Updates an HTTPS Edge Route by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.API Keys are used to authenticate to the ngrok
Source: ngrok.exe	String found in binary or memory: -h, --help help for ngrok
Source: ngrok.exe	String found in binary or memory: -h, --help help for ngrok
Source: ngrok.exe	String found in binary or memory: Use "ngrok [command] --help" for more information about a command.
Source: ngrok.exe	String found in binary or memory: Use "ngrok [command] --help" for more information about a command.
Source: ngrok.exe	String found in binary or memory: --remote-addr option. ngrok requires that you reserve a TCP tunnel
Source: ngrok.exe	String found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: ngrok.exe	String found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: ngrok.exe	String found in binary or memory: set -l directive (string sub --start 2 $__%[1]s_perform_completion_once_result[-1])
Source: ngrok.exe	String found in binary or memory: align-items: flex-start;
Source: ngrok.exe	String found in binary or memory: .glyphicon-stop:before {
Source: ngrok.exe	String found in binary or memory: .has-success .input-group-addon {
Source: ngrok.exe	String found in binary or memory: .has-warning .input-group-addon {
Source: ngrok.exe	String found in binary or memory: .has-error .input-group-addon {
Source: ngrok.exe	String found in binary or memory: .form-inline .input-group .input-group-addon,
Source: ngrok.exe	String found in binary or memory: .input-group-lg > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: select.input-group-lg > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: textarea.input-group-lg > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: select[multiple].input-group-lg > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: .input-group-sm > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: select.input-group-sm > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: textarea.input-group-sm > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: select[multiple].input-group-sm > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: .input-group-addon,
Source: ngrok.exe	String found in binary or memory: .input-group-addon:not(:first-child):not(:last-child),
Source: ngrok.exe	String found in binary or memory: .input-group-addon {
Source: ngrok.exe	String found in binary or memory: .input-group-addon.input-sm {
Source: ngrok.exe	String found in binary or memory: .input-group-addon.input-lg {
Source: ngrok.exe	String found in binary or memory: .input-group-addon input[type="radio"],
Source: ngrok.exe	String found in binary or memory: .input-group-addon input[type="checkbox"] {
Source: ngrok.exe	String found in binary or memory: .input-group-addon:first-child,
Source: ngrok.exe	String found in binary or memory: .input-group-addon:first-child {
Source: ngrok.exe	String found in binary or memory: .input-group-addon:last-child,
Source: ngrok.exe	String found in binary or memory: .input-group-addon:last-child {
Source: ngrok.exe	String found in binary or memory: .navbar-form .input-group .input-group-addon,
Source: ngrok.exe	String found in binary or memory: .hljs-addition,
Source: ngrok.exe	String found in binary or memory: net/addrselect.go
Source: ngrok.exe	String found in binary or memory: github.com/pires/go-proxyproto@v0.7.0/addr_proto.go
Source: ngrok.exe	String found in binary or memory: google.golang.org/grpc@v1.63.0/internal/balancerload/load.go
Source: ngrok.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load.go
Source: ngrok.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_common.go
Source: ngrok.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_no.go
Source: ngrok.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v1.go
Source: ngrok.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v2.go
Source: ngrok.exe	String found in binary or memory: go.ngrok.com/lib/web/manifest/loader.go
Source: ngrok.exe	String found in binary or memory: github.com/kentik/patricia@v1.2.0/address_v4.go
Source: ngrok.exe	String found in binary or memory: github.com/kentik/patricia@v1.2.0/address_v6.go
Source: ngrok.exe	String found in binary or memory: golang.org/x/sys@v0.19.0/windows/svc/eventlog/install.go

Source: C:\Users\user\Desktop\ngrok.exe

File read: C:\Users\user\Desktop\ngrok.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ngrok.exe "C:\Users\user\Desktop\ngrok.exe"
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Users\user\Desktop\ngrok.exe C:\Users\user\Desktop\ngrok.exe
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Users\user\Desktop\ngrok.exe C:\Users\user\Desktop\ngrok.exe	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K	Jump to behavior

Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: samlib.dll	Jump to behavior

Source: ngrok.exe

Static PE information: certificate valid

Source: ngrok.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ngrok.exe

Static file information: File size 29596392 > 1048576

Source: ngrok.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xa55200
Source: ngrok.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1077c00

Source: ngrok.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ngrok.exe	Static PE information: section name: .xdata
Source: ngrok.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\ngrok.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: ngrok.exe, 00000002.00000002.1910086609.000002B32B538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllww%_P
Source: ngrok.exe	Binary or memory string: X4xSOkS7vrOepX4JFNhqVdxut7pqEmuj1Xf7KhHtFquFM5fhLJHnWEJGWOTRbRVp
Source: ngrok.exe, 00000000.00000002.3144014972.0000018E4C014000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ngrok.exe

Process information queried: ProcessInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Users\user\Desktop\ngrok.exe C:\Users\user\Desktop\ngrok.exe			Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K			Jump to behavior

Source: C:\Users\user\Desktop\ngrok.exe	Queries volume information: C:\Users\user\Desktop\ngrok.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Queries volume information: C:\Users\user\Desktop\ngrok.exe VolumeInformation			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ngrok.exe	24%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
https://getbootstrap.com/)	0%	URL Reputation	safe
http://jedwatson.github.io/classnames	0%	URL Reputation	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ngrok.com/tosAuto	ngrok.exe	false		unknown
http://www.apache.org/licenses/LICENSE-2.0	ngrok.exe	false	URL Reputation: safe	unknown
https://ngrok.com/docs/cloud-edge/modules/webhook-verification)the	ngrok.exe	false		unknown
https://www.ngrok.com	ngrok.exe, 00000000.00000002.3142179693.000000C0004C0000.00000004.00001000.00020000.00000000.sdmp, ngrok.exe, 00000002.00000002.1903640154.000000C000250000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/	ngrok.exe	false		unknown
https://ngrok.com/docs/cloud-edge/endpoints#certificate-chains).Integer	ngrok.exe	false		unknown
http://www.eslinstructor.net/vkbeautify/	ngrok.exe	false		unknown
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)	ngrok.exe	false		unknown
https://dashboard.ngrok.com/api/keys)	ngrok.exe	false		unknown
https://github.com/golang/protobuf/issues/1609):	ngrok.exe	false		unknown
https://ngrok.com/tos	ngrok.exe	false		unknown
https://getbootstrap.com/)	ngrok.exe	false	URL Reputation: safe	unknown
https://github.com/spf13/cobra/issues/1508	ngrok.exe	false		unknown
https://ngrok.com/docs/errors/err_ngrok_8012	ngrok.exe, 00000002.00000002.1903640154.000000C000250000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://ngrok.com/docs/cloud-edge/modules/webhook-verification	ngrok.exe	false		unknown
https://dns.google.com/resolve?/tunnel_sessions/	ngrok.exe	false		unknown
http://creativecommons.org/publicdomain/zero/1.0	ngrok.exe	false		unknown
https://ngrok.com/docs/cloud-edge/endpoints#private-keys).A	ngrok.exe	false		unknown
http://www.opensource.org/licenses/mit-license.php	ngrok.exe	false		unknown
https://ngrok.com/docs/api#authentication).	ngrok.exe	false		unknown
https://instrumentation-telemetry-intake.datadoghq.com/api/v2/apmtelemetryAddAttrs	ngrok.exe	false		unknown
http://crl.ngrok.com/ngrok.crl227373675443232059478759765625reflect:	ngrok.exe	false		unknown
https://dashboard.ngrok.com/api.	ngrok.exe	false		unknown
http://crl.ngrok-agent.com/ngrok.crlURL	ngrok.exe	false		unknown
https://github.com/twbs/bootstrap/blob/master/LICENSE)	ngrok.exe	false		unknown
http://www.gnu.org/licenses/gpl.html	ngrok.exe	false		unknown
https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css	ngrok.exe	false		unknown
http://fsf.org/	ngrok.exe	false		unknown
https://api.ngrok.comunsupported	ngrok.exe	false		unknown
https://ngrok....Certificate	ngrok.exe	false		unknown
http://mattn.mit-license.org/2013	ngrok.exe	false		unknown
http://jedwatson.github.io/classnames	ngrok.exe	false	URL Reputation: safe	unknown
https://github.com/spf13/cobra/issues/1279	ngrok.exe	false		unknown
https://dashboard.ngrok.com/billing/subscription	ngrok.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1455159
Start date and time:	2024-06-11 14:54:52 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ngrok.exe
Detection:	MAL
Classification:	mal52.winEXE@6/2@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: ngrok.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Users\user\Desktop\ngrok.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	5.653736176242947
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ngrok.exe
File size:	29'596'392 bytes
MD5:	73978a303b99aad781516908ef925b00
SHA1:	b9586f6c92eea257bba6f617f61fda3ac2b05b6f
SHA256:	8549c2e539e071091426857781827c9759cfbe71ecb4d9e3e0193969f763a38d
SHA512:	6b99ebcc8ed34d2e24695d08c41bf9517e948c39d89aa99ad441292e4f7b3fb23503cd835c50358367536eeadc2f36312980c67c3c87e866a957523cb71172c6
SSDEEP:	393216:9gq9iRFJqNTgtccoOd5mM0w11/HXZeTs2V/ih+rlVmvJ:Oq9iRFANTtQ
TLSH:	B4575A07E96441E8C5E9C135CA669613BB717C488B3037D73B60FB686F76BD0AAB9310
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........t........"......R.......... .........@.....................................W.....`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x47b120
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	07361a3a7f515bf56ca93120b2aca73b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	30/05/2024 01:00:00 28/08/2027 00:59:59
Subject Chain	E=support@ngrok.com, CN="Ngrok, Inc.", O="Ngrok, Inc.", L=San Diego, S=California, C=US
Version:	3
Thumbprint MD5:	CC5EDA008651FDA11F28615C7195CB79
Thumbprint SHA-1:	7A54EB0D199484EB8CAEA931C90A744BCF02A7E0
Thumbprint SHA-256:	DCD0CADC31F1510A6B56E2A76FD37B6D66E7A2B1B6016FA37FACE467F08F76B4
Serial:	083A42D331C15FD98D28315D15D9E3F7

Entrypoint Preview

Instruction
jmp 00007F0290DA4900h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [01BD3CDAh]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F0290DA8205h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F0290DB385Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ca0000	0x590	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1cda000	0x228	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1c5e000	0x40890	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1c37a00	0x20e8	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1ca1000	0x37bb4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1ad1340	0x190	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa5506f	0xa55200	cb3d1880d22a8d946eb5bf5a59a520d1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa57000	0x1077a40	0x1077c00	22ebc2ec32f0fa14d03b9a93b482e68a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1acf000	0x18eb30	0xf1200	c511207f430eddaaf15a90c296fa5ed9	False	0.24535664528252982	data	4.116476133850692	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1c5e000	0x40890	0x40a00	7e0e478626a501415c2aadc3c0f3a63f	False	0.3967525991295938	data	5.929367390344555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x1c9f000	0xb4	0x200	9426b63182379023a7b7c8245dbe6ead	False	0.220703125	data	1.7635806726373504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x1ca0000	0x590	0x600	03ac20c404d4be7e4334a626903a529f	False	0.3899739583333333	TTComp archive data, binary, 1K dictionary	4.2513048069100705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1ca1000	0x37bb4	0x37c00	c65b51ae514cfe1ec0be15e04d43285f	False	0.17360040639013452	data	5.457073600306573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x1cd9000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x1cda000	0x228	0x400	e241c7f7d9c7f0f6450694d4c73a2bb2	False	0.28125	data	1.8756336896976922	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1cda058	0x1cc	data	English	United States	0.5413043478260869

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetThreadPriority, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateWaitableTimerA, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2024 14:56:45.628654003 CEST	53	59130	162.159.36.2	192.168.2.4
Jun 11, 2024 14:56:46.477153063 CEST	53	61680	1.1.1.1	192.168.2.4

Statistics

CPU Usage

• ngrok.exe
• conhost.exe
• ngrok.exe
• cmd.exe

Click to jump to process

Memory Usage

• ngrok.exe
• conhost.exe
• ngrok.exe
• cmd.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	08:56:04
Start date:	11/06/2024
Path:	C:\Users\user\Desktop\ngrok.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ngrok.exe"
Imagebase:	0xf90000
File size:	29'596'392 bytes
MD5 hash:	73978A303B99AAD781516908EF925B00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	08:56:04
Start date:	11/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	08:56:05
Start date:	11/06/2024
Path:	C:\Users\user\Desktop\ngrok.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\ngrok.exe
Imagebase:	0xf90000
File size:	29'596'392 bytes
MD5 hash:	73978A303B99AAD781516908EF925B00
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:56:07
Start date:	11/06/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /K
Imagebase:	0x7ff78dfd0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ngrok.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: ngrok.exePID: 7300, Parent PID: 2580

General

File Activities

Windows Analysis Report
ngrok.exe