Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe

Overview

General Information

Sample name:SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe
Analysis ID:1467826
MD5:56d222d5febef9fb176df8c79d28c8ae
SHA1:e1e949d891ddb4039a7034eade86beaefc531d9e
SHA256:d1f800693df281cd68144d531f598c40b71b36138f4cc2655abdbf8d2990e92b
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly
Creates a process in suspended mode (likely to inject code)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /K, CommandLine: cmd.exe /K, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe, ParentProcessId: 4392, ParentProcessName: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe, ProcessCommandLine: cmd.exe /K, ProcessId: 1756, ProcessName: cmd.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeReversingLabs: Detection: 28%
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://crl.ngrok-agent.com/ngrok.crlURL
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://crl.ngrok.com/ngrok.crl227373675443232059478759765625reflect:
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://fsf.org/
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://jedwatson.github.io/classnames
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://mattn.mit-license.org/2013
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://www.apache.org/licenses/
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://www.eslinstructor.net/vkbeautify/
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://api.ngrok.comunsupported
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://dashboard.ngrok.com/api.
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://dashboard.ngrok.com/api/keys)
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://dashboard.ngrok.com/billing/subscription
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://dns.google.com/resolve?/tunnel_sessions/
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://getbootstrap.com/)
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://github.com/spf13/cobra/issues/1279
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://github.com/spf13/cobra/issues/1508
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://instrumentation-telemetry-intake.datadoghq.com/api/v2/apmtelemetryAddAttrs
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://ngrok....Certificate
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://ngrok.com/docs/api#authentication).
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://ngrok.com/docs/cloud-edge/endpoints#certificate-chains).Integer
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://ngrok.com/docs/cloud-edge/endpoints#private-keys).A
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://ngrok.com/docs/cloud-edge/modules/webhook-verification
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://ngrok.com/docs/cloud-edge/modules/webhook-verification)the
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe, 00000003.00000002.2149736880.000000C0002A2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe, 00000003.00000002.2151794288.000000C000572000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ngrok.com/docs/errors/err_ngrok_8012
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://ngrok.com/docs/errorsfailed
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://ngrok.com/tos
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://ngrok.com/tosAuto
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-K3RD62G
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe, 00000000.00000002.3374827412.000000C0000C0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe, 00000003.00000002.2151794288.000000C000572000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ngrok.com
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeBinary string: bindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard TimeMontevideo Standard TimeMagallanes Standard TimePacific SA Standard TimeAzerbaijan Standard TimeBangladesh Standard TimeNorth Asia Standard TimeCape Verde Standard Timeexpected float; found %sGot update major commandunknown region '%s' - %sCheck for update failed:timed out while updating/inspect/http/.+/requestapplication/octet-stream2006-01-02T15:04:05-0700log15: unknown level: %vMon Jan _2 15:04:05 2006text/html; charset=utf-8unexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sstream %d already openedConnContext returned nilRequest Entity Too Largehttp: nil Request.Headerhttps-edge-route-backendmodule.authorized-groupsresponse-headers.enabledoauth.inactivity-timeoutsaml.options-passthroughsaml.allow-idp-initiatedoidc.options-passthroughDelete an IP restrictionDelete a TLS certificatetls-edge-tls-terminationexec: Stdout already setexec: Stderr already setBuffer called after Scanerror decrypting messagecertificate unobtainableTLS_RSA_WITH_RC4_128_SHAjson: unsupported type: buffer closed previouslyTunnelV2IPRestrictedCodeAuthInvalidUserAgentCodeAPIInvalidCredentialCodeAPIInvalidTLSVersionCodeAPIInvalidIPPolicyIDCodeAPIInvalidEventFieldCodeBindUnsupportedProtoCodeBindIPPolicyNotExistCodeBindDomainUnderscoreCodeCredsDescrCharsLimitCodeSSHTunnelBadProtocolCodeSSHTunnelPortInvalidCodeIPPolicyRuleNotFoundCodeIPPolicyMissingParamCodeMwRuntimeExplicitBanCodeAccountNotAuthorizedCodeMapNonexistentServerCodeHTMLDisallowedRegionCodeBannedAddrIDNotFoundCodeBackendWeightedLimitCodeBackendFailoverLimitCodeEdgeDeleteStillInUseCodeEdgeHeaderKeyInvalidCodeEdgeHeaderValInvalidCodeEdgeValidationErrorsCodeEdgeHostportNotFoundCodeEdgeInvalidPortRangeCodeEdgeRouteNoMatchExprCodeEdgeInvalidMatchTypeCodeEdgeOIDCScopeTooLongCodeDashClientInvalidARNCodeCorpClientInvalidARNCodeMFADeviceTypeInvalidCode [%d/%d from method '%s'failed to write response/abuse_reports/{{ .ID }}/certificate_authoritiesWaitToKillServiceTimeoutAllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWSetConsoleCursorPositionSetDefaultDllDirectoriesNtQuerySystemInformationSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceGetWindowThreadProcessIdduplicate %TAG directiveread handler must be setexceeded max depth of %dwhile scanning an anchorSet application protocolx509: malformed validityaddress string too shortsuccessful verify of CRLskipping out of date CRL\Device\NamedPipe\cygwin
Source: classification engineClassification label: mal52.winEXE@6/2@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeFile opened: C:\Windows\system32\488530dd4d2e1092c100b934007345f38fd3879c54eb049acdd9f4532318855fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeFile opened: C:\Windows\system32\0dcd520cd4936fccd8ac73ad323559c05e752a50fecf4e3bcbcd1af12187ff64AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeReversingLabs: Detection: 28%
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine terminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dll%!Weekday(short read --%sint32Sliceint64Slice<no value>value for arg %d: %wChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtraForwardingconnectingerror.htmldisconnecttunnelNameUser-Agent/static/.+vendor.css.localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = ConnectionKeep-Alivelocal-addrimage/webpimage/jpegaudio/aiffaudio/mpegaudio/midiaudio/wavevideo/webmfont/woff2RST_STREAMEND_STREAMSet-Cookiebytes */%d stream=%dset-cookieuser-agentkeep-alive:authorityconnectionequivalentHost: %s
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: assets/tls/Interactivesechost.dllversion.dllGetFileTimeSetCommMaskVirtualFreeCoGetObjectEnumWindowsMessageBoxWmapping endyYnNtTfFoO~!!timestamphost-headercompressionoauth-scopepolicy-fileremote-addrnext_updategocachehashgocachetestarchive/tarcrypto/x509archive/zipInstCaptureInstRuneAny[:^xdigit:]parse errorexpected :=empty fieldSystemDriveProgramDatamin_versiongot requestcannot copyCERTIFICATEcontextmenucrossoriginformenctypeplaceholder_eval_args_\x3C/scriptdevelopmentMARTINI_ENVgrpc-statuspassthroughgrpc.Server"CANCELLED""NOT_FOUND""DATA_LOSS"UnavailableUNAVAILABLEpb.db_codec> in space ReportFaultuser_facingerror.stackhttp.methodhttp.flavorClassHESIODauthoritiesadditionalsIn-Reply-ToReturn-Pathhttps_proxyBernoullis;CirclePlus;EqualTilde;Fouriertrf;ImaginaryI;Laplacetrf;LeftVector;Lleftarrow;NotElement;NotGreater;Proportion;RightArrow;RightFloor;Rightarrow;TildeEqual;TildeTilde;UnderBrace;UpArrowBar;UpTeeArrow;circledast;complement;curlywedge;eqslantgtr;gtreqqless;lessapprox;lesseqqgtr;lmoustache;longmapsto;mapstodown;mapstoleft;nLeftarrow;nleftarrow;precapprox;rightarrow;rmoustache;sqsubseteq;sqsupseteq;subsetneqq;succapprox;supsetneqq;upuparrows;varepsilon;varnothing;ThickSpace;nsubseteqq;nsupseteqq;allocationsinuse_spacealloc_spacecontentions0x[0-9a-f]+do_memaligntc_memaligntc_newarrayruntime\..*_M_allocatenanoseconds# Sys = %d
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: ; EXPIRE: ;; opcode: AUTHORITY: Fixed32KindFixed64KindMessageKindnested_typeoneof_indexallow_aliasoutput_typejson_formatdeclarationStatusCode(NOT_SERVINGChannel #%d{Addr: %q, Closing: %vGrpc-Statusround_robinnot allowedlast minuteDECLARATION"-Infinity"timestamptzsslrootcert READ WRITEpostgres://15:04:05-07.postgresqltransactionmutex.pprofblock.pprofMachineGuidProductNamehttp.schemehttp.targetnet.host.ipnet.peer.ipavx512vnniwavx512vbmi2_INT2VECTORTIMESTAMPTZPG_DATABASEREGOPERATORANYNONARRAYFDW_HANDLERTSM_HANDLERCGO_ENABLED (SQLSTATE pprof::baseapp-startedapp-closingBackupWriteFieldRangesFileImportsCardinalityHasJSONNameHasPresenceIsExtensionfallthrough^([^:]+)://api.pricingautoscalingcloudsearchcognito-idpdevops-guruelasticacheiotsitewiseiotwirelessivsrealtimeopsworks-cmpersonalizerekognitionruntime.lexs3-outpostssecurityhubvoice-chimevpc-latticeUS ISO EastUS ISO WEST<sensitive>Content-Md5,omitempty,<panic: %s>exit status can't happen_ACTIVE_HELPthis commandversion for Subcommand 'write-reportgoogle_httpsResolver: %sHostname: %sConnectivity%s [command]usageExamplecommand_lineSet '%s: %s'socks5_proxysocks5-proxyterminate-athttp://%s:80api_base_url152587890625762939453125short buffer has no name has no typereflect.CopyOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFileExVirtualQueryadvapi32.dlliphlpapi.dllkernel32.dllnetapi32.dllsweepWaiterstraceStringsspanSetSpinemspanSpecialgcBitsArenasmheapSpecialgcpacertracemadvdontneedharddecommitdumping heapchan receivelfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: [0m=%s.in-addr.arpa.unknown mode: Content-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMbytes %d-%d/%dERR_UNKNOWN_%daccept-charsetcontent-lengthfirst_settingsping_on_streamtrailers_bogusread_frame_eof{$} not at endempty wildcardinvalid methodparsing %q: %wunknown error unknown code: Not Acceptablemodule.enabledoidc.client-idreserved-addrscertificate-idelliptic-curvestatic-address
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: Operation ID: %sNgrok-Operation-Id/backends/failover/backends/weighted/tunnels/{{ .ID }}assets/BUILD.bazelassets/credits.txtassets/static/css/CM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSubAuthorityMakeSelfRelativeSDCertGetNameStringWCryptUnprotectDataPFXImportCertStoreGetBestInterfaceExClosePseudoConsoleEscapeCommFunctionGetCommModemStatusGetCurrentThreadIdGetModuleHandleExWGetVolumePathNameWRemoveDllDirectoryTerminateJobObjectWriteProcessMemoryEnumProcessModulesGetModuleBaseNameWtag:yaml.org,2002:oauth-allow-domainoidc app client idoidc-client-secretrequest-header-addunable to parse IPnetip.ParsePrefix(error fetching CRLcannot be negativeflag %q contains =flag redefined: %sless than a minuteGetConsoleOutputCPapp://%s/%s?pid=%dtext/javascript1.0text/javascript1.1text/javascript1.2text/javascript1.3text/javascript1.4text/javascript1.5half join completeSubchannel createdSubchannel deletedunknown service %vServer.Stop called"INVALID_ARGUMENT"FailedPreconditionRESOURCE_EXHAUSTEDpb.gen_with_suffixexpected element <invalid XML name: Proxy-AuthenticateRCodeServerFailuredecoding error: %vDoubleUpDownArrow;DoubleVerticalBar;DownLeftTeeVector;DownLeftVectorBar;FilledSmallSquare;GreaterSlantEqual;LeftDoubleBracket;LeftDownTeeVector;LeftDownVectorBar;LeftTriangleEqual;NegativeThinSpace;NotReverseElement;NotTildeFullEqual;RightAngleBracket;RightUpDownVector;SquareSubsetEqual;VerticalSeparator;blacktriangledown;blacktriangleleft;leftrightharpoons;rightleftharpoons;twoheadrightarrow;NotGreaterGreater;NotLessSlantEqual;NotNestedLessLess;NotSquareSuperset;malloc_zone_mallocmalloc_zone_callocmalloc_zone_valloc(Mutex::)?Unlock.*# TotalAlloc = %d
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: /api_keys/{{ .ID }}/event_destinationsFailed to %s %v: %vQueryServiceConfigWCreatePseudoConsoleDisconnectNamedPipeGetDiskFreeSpaceExWGetLargePageMinimumGetOverlappedResultGetSystemDirectoryWResizePseudoConsoleRtlAddFunctionTableGetForegroundWindowGetFileVersionInfoWWSALookupServiceEndwhile parsing a taginvalid URL escape missing ']' in hostoauth-client-secretresponse-header-addx509: malformed OIDx509: trailing datax509: unknown error too large for IPv4 too large for IPv6file already existsfile does not existfile already closedmultipartmaxheadersunclosed left parenunknown branch typetemplate: %s:%d: %sunexpected %s in %sRUNEWIDTH_EASTASIANWriteConsoleOutputWXDG_PUBLICSHARE_DIRcannot reset bufferNo update availableBad hex digit in %qno such template %qapplication/ld+jsonBasic realm="ngrok"Prerelease is emptyrequest body closed[pick-first-lb %p] RegisterService(%q)"DEADLINE_EXCEEDED""PERMISSION_DENIED"FAILED_PRECONDITIONpb/extensions.protopb.cli_pretty_printzero length segmentRCodeNotImplementedmime: no media typebinary.LittleEndianevictCount overflowDownRightTeeVector;DownRightVectorBar;LongLeftRightArrow;Longleftrightarrow;NegativeThickSpace;PrecedesSlantEqual;ReverseEquilibrium;RightDoubleBracket;RightDownTeeVector;RightDownVectorBar;RightTriangleEqual;SquareIntersection;SucceedsSlantEqual;blacktriangleright;longleftrightarrow;NotLeftTriangleBar;--- Memory map: ------ threadz \d+ ---(__)?posix_memaligntc_newarray_nothrowmalloc_zone_reallocDoSampledAllocationoperator new(\[\])?runtime\.call[0-9]*#%#x%s+%#x%s:%d
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: unknown address type command not supportedPrecondition RequiredInternal Server ErrorCreate a new bot userdelete <edge-id> <id>module.rolling-windowhttps-edge-route-oidchttps-edge-route-samlsaml.maximum-durationoidc.maximum-durationsaml.idp-metadata-urlupdate <edge-id> <id>target.datadog.ddtagstarget.datadog.ddsitestatus code to returnhttps-edge-mutual-tlsssh-host-certificatesssh-user-certificatesexec: already startedbufio: negative countdecompression failureunsupported extensionafter top-level valuein string escape codeflow control violatedAuthImproperTokenCodeAPIInvalidVersionCodeAPIMissingVersionCodeBindAnonSubdomainCodeBindWildcardMatchCodeBindHostportInUseCodeBindDomainTooLongCodeReservedAddrLimitCodeMuxBadHTTPRequestCodeMuxRequestTimeoutCodeBillingEmailLimitCodeDashNoGoogleLoginCodeDashSignupBlockedCodeCertsDNS01NSCountCodeAccountsNameEmptyCodeUsersEmailInvalidCodeAbuseTCPIPUnknownCodeEvsubInvalidFieldCodeBackendNotAllowedCodeEdgeLimitExceededCodeEdgeAuthExclusionCodeAgentIPV6DisabledCodeMFADeviceNotFoundCodefailed to deserializeInvalid log level: %wCM_Get_DevNode_StatusChangeServiceConfig2WDeregisterEventSourceEnumServicesStatusExWGetNamedSecurityInfoWSetNamedSecurityInfoWDwmGetWindowAttributeDwmSetWindowAttributeGetVolumeInformationWNtCreateNamedPipeFileSetupDiEnumDeviceInfoSetupUninstallOEMInfWWSALookupServiceNextWWTSEnumerateSessionsWinvalid emitter stateexpected STREAM-STARTexpected DOCUMENT-ENDcannot marshal type: write handler not setverify-webhook-secretrequest-header-removeinvalid NumericStringx509: invalid versionIPv4 address too longunexpected slice sizeerror parsing CRL URLfailed to verify CRL:CRL out of date at %sinvalid named captureflag %q begins with -record on line %d: %vbad number syntax: %qundefined variable %qGetCurrentConsoleFontno more state changesinvalid tunnel configat range loop break: listening on %s (%s)
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: Run '%v --help' for usage.
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: Run '%v --help' for usage.
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: unsafe.String: len out of rangecannot assign requested address.lib section in a.out corruptedmalformed time zone informationW. Central Africa Standard TimeCentral Brazilian Standard TimeMountain Standard Time (Mexico)time: missing unit in duration mergeRuneSets odd length []runemissing argument for comparisonrange over send-only channel %vvalue has type %s; should be %ssotypeToNet unknown socket typemultipart/byteranges; boundary=http2: connection error: %v: %vframe_headers_prio_weight_shortPRIORITY frame with stream ID 0too many authentication methodsRequested Range Not SatisfiableRequest Header Fields Too LargeNetwork Authentication Requiredtoo many transfer encodings: %qnet/http: TLS handshake timeoutattachment; filename="%s-delta"https-edge-route-ip-restrictionmodule.provider.facebook.scopesmodule.provider.linkedin.scopesoauth.provider.github.client-idoauth.provider.microsoft.scopesoauth.provider.google.client-idoauth.provider.gitlab.client-idoauth.provider.twitch.client-idoauth.provider.amazon.client-idwebsocket-tcp-converter.enabledbody to return as fixed contenthostname of the reserved domaintls: no certificates configuredbad certificate status responsetls: unsupported public key: %TTLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384failed to parse certificate: %wTLS: sequence number wraparoundCLIENT_HANDSHAKE_TRAFFIC_SECRETSERVER_HANDSHAKE_TRAFFIC_SECRETtls: failed to sign handshake: json: invalid number literal %qin literal true (expecting 'r')in literal true (expecting 'u')in literal true (expecting 'e')in literal null (expecting 'u')in literal null (expecting 'l')expected colon after object key looking for beginning of valuefailed to pack WNDINC frame: %vAPIRequestRateLimitExceededCodeBindDomainBadPunycodePrefixCodeBindConfigDisallowsIPPolicyCodeBindTunnelRateLimitExceededCodeBindACLForbidsRandomAddressCodeBindLabeledTunnelNotAllowedCodeBindAgentDuplicateAddHeaderCodeReservedDomainInvalidRegionCodeReservedDomainInvalidPrefixCodeReservedDomainInvalidSuffixCodeReservedDomainWildcardLimitCodeReservedDomainCNAMENotFoundCodeReservedAddrDescrCharsLimitCodeReservedCustomExistingCNAMECodeTunnelV2RestartNotSupportedCodeBillingAddressInvalidLengthCodeBillingEmailDeleteProtectedCodeBillingLicenseLimitExceededCodeSSHTunnelPublicKeysNotFoundCodeSSHTunnelNoMultipleForwardsCodeSSHTunnelPortForwardTimeoutCodeSSHTunnelUpdateNotSupportedCodeDashUserBelongsToNoAccountsCodeCertsSSHCAPublicKeyRequiredCodeCertsSSHCARateLimitExceededCodeMwCompileHandlerTypeInvalidCodeMwCompileBackendAddrInvalidCodeMwCompileIPFilterNoIPPolicyCodeMwCompileHTTPMuxPathTooLongCodeMwCompileAppProtocolInvalidCodeMwPolicyIPTreeFailedToBuildCodeMwRuntimeHTTPBackendTimeoutCodeMwRuntimeNoBackendAvailableCodeUsersDeleteBannedDisallowedCodeUserSelfServeSignupDisabledCodeUserAccountCreationDisabledCodeFeatureRequestLengthInvalidCodeEventDestinationMissingAuthCodeEventDestinationTooMuchAuthCodeEventSubscriptionNotAllowedCodeEventSourceFilterNotAllo
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: unsafe.String: len out of rangecannot assign requested address.lib section in a.out corruptedmalformed time zone informationW. Central Africa Standard TimeCentral Brazilian Standard TimeMountain Standard Time (Mexico)time: missing unit in duration mergeRuneSets odd length []runemissing argument for comparisonrange over send-only channel %vvalue has type %s; should be %ssotypeToNet unknown socket typemultipart/byteranges; boundary=http2: connection error: %v: %vframe_headers_prio_weight_shortPRIORITY frame with stream ID 0too many authentication methodsRequested Range Not SatisfiableRequest Header Fields Too LargeNetwork Authentication Requiredtoo many transfer encodings: %qnet/http: TLS handshake timeoutattachment; filename="%s-delta"https-edge-route-ip-restrictionmodule.provider.facebook.scopesmodule.provider.linkedin.scopesoauth.provider.github.client-idoauth.provider.microsoft.scopesoauth.provider.google.client-idoauth.provider.gitlab.client-idoauth.provider.twitch.client-idoauth.provider.amazon.client-idwebsocket-tcp-converter.enabledbody to return as fixed contenthostname of the reserved domaintls: no certificates configuredbad certificate status responsetls: unsupported public key: %TTLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_GCM_SHA384failed to parse certificate: %wTLS: sequence number wraparoundCLIENT_HANDSHAKE_TRAFFIC_SECRETSERVER_HANDSHAKE_TRAFFIC_SECRETtls: failed to sign handshake: json: invalid number literal %qin literal true (expecting 'r')in literal true (expecting 'u')in literal true (expecting 'e')in literal null (expecting 'u')in literal null (expecting 'l')expected colon after object key looking for beginning of valuefailed to pack WNDINC frame: %vAPIRequestRateLimitExceededCodeBindDomainBadPunycodePrefixCodeBindConfigDisallowsIPPolicyCodeBindTunnelRateLimitExceededCodeBindACLForbidsRandomAddressCodeBindLabeledTunnelNotAllowedCodeBindAgentDuplicateAddHeaderCodeReservedDomainInvalidRegionCodeReservedDomainInvalidPrefixCodeReservedDomainInvalidSuffixCodeReservedDomainWildcardLimitCodeReservedDomainCNAMENotFoundCodeReservedAddrDescrCharsLimitCodeReservedCustomExistingCNAMECodeTunnelV2RestartNotSupportedCodeBillingAddressInvalidLengthCodeBillingEmailDeleteProtectedCodeBillingLicenseLimitExceededCodeSSHTunnelPublicKeysNotFoundCodeSSHTunnelNoMultipleForwardsCodeSSHTunnelPortForwardTimeoutCodeSSHTunnelUpdateNotSupportedCodeDashUserBelongsToNoAccountsCodeCertsSSHCAPublicKeyRequiredCodeCertsSSHCARateLimitExceededCodeMwCompileHandlerTypeInvalidCodeMwCompileBackendAddrInvalidCodeMwCompileIPFilterNoIPPolicyCodeMwCompileHTTPMuxPathTooLongCodeMwCompileAppProtocolInvalidCodeMwPolicyIPTreeFailedToBuildCodeMwRuntimeHTTPBackendTimeoutCodeMwRuntimeNoBackendAvailableCodeUsersDeleteBannedDisallowedCodeUserSelfServeSignupDisabledCodeUserAccountCreationDisabledCodeFeatureRequestLengthInvalidCodeEventDestinationMissingAuthCodeEventDestinationTooMuchAuthCodeEventSubscriptionNotAllowedCodeEventSourceFilterNotAllo
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: Invalid URL for json_resolver_url142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length sync: RUnlock of unlocked RWMutexskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangetoo many levels of symbolic linksInitializeProcThreadAttributeListwaiting for unsupported file typebytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whenceflag accessed but not defined: %sunknown shorthand flag: %q in -%sflag needs an argument: %q in -%s%s must be formatted as key=valueincompatible types for comparisoncannot index slice/array with nilFailed to initialize terminal: %wForwarding was restarted due to: disabled updater should never runchecking for updates periodicallyUpdate to version %s successful!
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: Invalid URL for json_resolver_url142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length sync: RUnlock of unlocked RWMutexskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangetoo many levels of symbolic linksInitializeProcThreadAttributeListwaiting for unsupported file typebytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whenceflag accessed but not defined: %sunknown shorthand flag: %q in -%sflag needs an argument: %q in -%s%s must be formatted as key=valueincompatible types for comparisoncannot index slice/array with nilFailed to initialize terminal: %wForwarding was restarted due to: disabled updater should never runchecking for updates periodicallyUpdate to version %s successful!
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: save authtoken to configuration fileWrapper limit cannot be less than 1.Error creating directory for report:TCP tunnel %s cannot inspect trafficTLS tunnel %s cannot inspect traffichttp://crl.ngrok-agent.com/ngrok.crlURL scheme must be 'http' or 'https'Invalid IP in dns_resolver_ips: '%s'444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignreflect.Value.Equal: values of type lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: save authtoken to configuration fileWrapper limit cannot be less than 1.Error creating directory for report:TCP tunnel %s cannot inspect trafficTLS tunnel %s cannot inspect traffichttp://crl.ngrok-agent.com/ngrok.crlURL scheme must be 'http' or 'https'Invalid IP in dns_resolver_ips: '%s'444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignreflect.Value.Equal: values of type lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: runtime: bad notifyList size - sync=accessed data from freed user arena runtime: wrong goroutine in newstackruntime: invalid pc-encoded table f=accessing a corrupted shared libraryTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionexceeded maximum template depth (%v)%s is not a method but has argumentswrong number of args: got %d want %dinternal error: associate not commonconnect.us-cal-1.ngrok-agent.com:443connect.eu-lon-1.ngrok-agent.com:443can't apply '%T' to %s configurationauto update is enabled, apply updatehttp: no Location header in responsehttp: unexpected EOF reading trailerhttp: invalid byte %q in Cookie.Path LastStreamID=%v ErrCode=%v Debug=%qhttp2: server rejecting conn: %v, %sHeader called after Handler finishedRoundTrip retrying after failure: %vJanFebMarAprMayJunJulAugSepOctNovDecno acceptable authentication methodsGet the details of an API key by ID.Delete an application session by ID.Get the details of a Bot User by ID.raw PEM of the Certificate Authoritymodule.provider.github.client-secretmodule.provider.github.email-domainsmodule.provider.github.organizationsmodule.provider.google.client-secretmodule.provider.google.email-domainsmodule.provider.gitlab.client-secretmodule.provider.gitlab.email-domainsmodule.provider.twitch.client-secretmodule.provider.twitch.email-domainsmodule.provider.amazon.client-secretmodule.provider.amazon.email-domainsmutual-tls.certificate-authority-idsThe ID portion of an AWS access key.target.cloudwatch-logs.log-group-arnService name to send with the event.List all IP policies on this accountexpected an ECDSA public key, got %TTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAtls: keys must have at least one keyunsupported SSLv2 handshake receivedtls: server did not send a key sharejson: encoding error for type %q: %qAPIInvalidCertificateAuthorityIDCodeAPIInvalidEventDestinationFormatCodeAPIInvalidEventDestinationTargetCodeBindAgentRequestHeaderAddInvalidCodeBindAgentHeaderKeyLengthExceededCodeBindAgentHeaderValLengthExceededCodeBindLabeledTunnelACLNotSupportedCodeReservedDomainNonLeadingWildcardCodeReservedDomainGaugeLimitExceededCodeReservedDomainNameDomainConflictCodeReservedAddressRateLimitExceededCodeMuxHTTPRequestsRateLimitExceededCodeBillingEmailAddressInvalidLengthCodeBillingAddressGaugeLimitExceededCodeEndpointConfigurationTypeInvalidCodeCertsInvalidDomainAlreadyManagedCodeCertsSSHUnsupportedPublicKeyTypeCodeCertsSSHUserCertNegativeDurationCodeCertsSSHHostCertNegativeDurationCodeMwCompileOAuthInvalidEmailDomainCodeMwPolicyInvalidActionConfigValueCodeMwPolicyHeaderValueLengthInvalidCodeMwPolicyCompressInvalidAlgorithmCodeMwPolicyInvalidIPPolicyReferenceCodeMwPolicyFieldNotUserConfigurableCodeMwRuntimeOAuthUserActionRequiredCodeEventDestinationDatadogAuthErrorCodeFederatedIdPOIDCPointcfgNotFoundCodeBackendMisma
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: http: putIdleConn: keep alives disabledinvalid HTTP header value for header %qusername/password authentication failedcertificate-management-policy.authorityList all API keys owned by this accountmodule.provider.microsoft.client-secretmodule.provider.microsoft.email-domainsoauth.provider.facebook.email-addressesoauth.provider.linkedin.email-addressesUpdate attributes of an IP policy by IDexec: environment variable contains NULtls: unsupported certificate curve (%s)TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256tls: internal error: wrong nonce lengthno mutually supported protocol versionschain is not signed by an acceptable CACredsCredentialMembershipIsInactiveCodeCredsCannotDeleteDefaultTunnelTokenCodeMuxIncomingTrafficRateLimitExceededCodeMuxOutgoingTrafficRateLimitExceededCodeMuxConnectionsPerMonthLimitExceededCodeSSHTunnelHostnameSubdomainExclusiveCodeEndpointConfigurationInvalidRequestCodeEndpointConfigurationOAuthEmptyTeamCodeEndpointConfigurationCADoesNotExistCodeEndpointConfigurationDescCharsLimitCodeEndpointConfigurationMetaCharsLimitCodeEndpointConfigurationMutualTLSNotCACodeCertsCertificateInsteadOfPrivateKeyCodeCertsPrivateKeyInsteadOfCertificateCodeCertsSSHCAEllipticCurveNotSupportedCodeMwCompileTLSInvalidHandshakeTimeoutCodeMwCompileUserSessionInvalidSameSiteCodeMwRuntimeOAuthUserResourceForbiddenCodeMwRuntimeJWTValidationPrefixMissingCodeEmailConfirmationsResendRateLimitedCodeEventDestinationInvalidARNPartitionCodeFederatedIdPOIDCTokenExchangeFailedCodeFederatedIdPOIDCConfigurationAbsentCodeFederatedIdPOAuthInvalidEmailDomainCodeBackendHTTPResponseHeaderKeyInvalidCodeMembershipsSetPermissionsDisallowedCodeMembershipsSetActiveDisallowedAdminCodeEdgeInvalidCircuitBreakerNumBucketsCodeEdgeOAuthInvalidPunycodeEmailDomainCodeEdgeSessionInactivityTimeoutTooHighCodeEdgeAccountNotAuthorizedCompressionCodeEdgeJWTValidationHttpTokenDuplicateCodesession closed, starting reconnect loop/reserved_domains/{{ .ID }}/certificateassets/local/tls/trusted.root.local.crtassets/local/tls/trusted.root.stage.crtRtlDosPathNameToNtPathName_U_WithStatuscannot decode node with unknown kind %dunknown problem generating YAML contentcannot marshal invalid UTF-8 data as %scannot encode node with unknown kind %dfound an incorrect trailing UTF-8 octetdid not find expected hexdecimal numberx509: invalid subject alternative namesx509: invalid NameConstraints extensionx509: failed to parse URI constraint %qx509: unknown EC private key version %d because it doesn't contain any IP SANsx509: signing with MD5 is not supportedIPv4 field must have at least one digitmissing argument to repetition operatortrailing backslash at end of expressionextraneous or missing " in quoted-fieldcsv: invalid field or comment delimiterproxyproto: can't read version 1 headermartini handler must be a callable funcfailed to deserialize request parameterUnable to upgrade websocket request: %vCreating new client transport to %q:
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: Specified region is not in the known seterrors: target must be a non-nil pointer13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 called with negative precreflect: FieldByName of non-struct type reflect.Value.Call: call of nil functionreflect.Value.Call: wrong argument countattempted to copy pointer to FP registerMapIter.Key called on exhausted iteratorreflect.Value.SetBytes of non-byte slicereflect.Value.setRunes of non-rune sliceinvalid span in heapArena for user arenaruntime: typeBitsBulkBarrier with type bulkBarrierPreWrite: unaligned argumentsrefill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsaddress family not supported by protocoltime: Stop called on uninitialized Timertimeout while trying to apply the updateTunnel declaration must contain a 'name'Policy is one of: 'always', 'only_minor'http2: timeout awaiting response headersFrame accessor called on non-owned Frameinternal error: expecting non-nil streamrequest header %q is not valid in HTTP/2http2: Transport encoding header %q = %qprotocol error: headers after END_STREAMwriteData(stream=%d, p=%d, endStream=%v)host contains '{' (missing initial '/'?)bad wildcard segment (must end with '}')backend to be used to back this endpointmodule.provider.facebook.email-addressesmodule.provider.linkedin.email-addresseshttps-edge-route-websocket-tcp-converteroauth.provider.microsoft.email-addressesList all active endpoints on the accountThe secret portion of an AWS access key.List this Account's Event Subscriptions.List all IP policy rules on this accountList all IP restrictions on this accountList all ssh credentials on this accountList all static backends on this accountclient doesn't support certificate curveoversized record received with length %dtls: received empty certificates messagetls: client didn't provide a certificateBindTunnelAnonymousRateLimitExceededCodeReservedDomainChallengeCNAMENotFoundCodeReservedDomainRegionChangeNotAllowedCodeReservedAddrInvalidConfigurationTypeCodeMuxHTTPRequestsPerMonthLimitExceededCodeTunnelV2OperationCommunicationFailedCodeMaintenanceSomeOperationsUnavailableCodeEndpointConfigurationOAuthEmptyGroupCodeIPRestrictionAccountNotAuthorizedAPICodeMwCompileBasicAuthRealmLengthInvalidCodeMwCompileHTTPHeaderNameLengthInvalidCodeMwCompileUserAgentFilterInvalidRegexCodeMwRuntimeOAuthUserMissingPermissionsCodeMwRuntimeOAuthProviderAPIUnavailableCodeMwRuntimeFederatedAuthCookieNotFoundCodeMwRuntimeJWTValidationTokenMalformedCodeMwRuntimeJWTValidationJWKSFetchErrorCodeAccountsTrafficFullCaptureDisallowedCodeInvitationsAdminPermissionDisallowedCode
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: Use: stop <id>tls: internal error: sending non-handshake message to QUIC transportEndpointConfigurationCircuitBreakerThresholdPercentageOutOfRangeCodeexpected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vembedded IPv4 address must replace the final 2 fields of the addressinvalid retry throttling config: tokenRatio (%v) may not be negativeheap profile: *(\d+): *(\d+) *\[ *(\d+): *(\d+) *\] @ fragmentationz2695994666715063979466701508701963067355791626002630814351006629888126959946667150639794667015087019625940457807714424391721682722368061crypto/hmac: hash generation function does not produce unique valuesinvalid proto.Message(%T) type, expected a protoreflect.Message typebig: invalid 2nd argument to Int.Jacobi: need odd integer but got %sexpected a JSON struct with one entry; received entry %v at index %dChannelz: socket options are not supported on non-linux environmentscannot assign %v, needed to assign %d elements, but only assigned %dpq: Could not detect default username. Please provide one explicitlyinvalid descriptor: using edition features in a proto with syntax %sextension %v does not implement protoreflect.ExtensionTypeDescriptorYou must specify -config with the path to an ngrok configuration fileYou may not specify both 'region' and 'server_addr' at the same time.Connect timeout must be a positive time duration, e.g. '10s', '500ms'reflect: embedded interface with unexported method(s) not implementedhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)%s matches more methods than %s, but has a more specific path pattern%s matches fewer methods than %s, but has a more general path patternarbitrary user-defined data of this API key. optional, max 4096 bytesAdd an additional type for which this event subscription will triggertls: peer doesn't support the certificate custom signature algorithmstls: handshake message of length %d bytes exceeds maximum of %d bytestls: client certificate contains an unsupported public key of type %Ttoo many hex fields to fit an embedded IPv4 at the end of the addressNetPrefix IP had a length of %d where a length of 4 or 16 is requiredparam: error parsing key %q: unknown field %q on struct %q of type %vedwards25519: internal error: setShortBytes called with a long stringheap profile: *(\d+): *(\d+) *\[ *(\d+): *(\d+) *\] @ fragmentationz?path to TLS certificate authority to verify client certs in mutual tlsFile tunnel %s encountered an error validating directory path '%s': %vsync/atomic: compare and swap of inconsistently typed value into Valuebytes.Buffer: UnreadByte: previous operation was not a successful readinexhaustive case match in server command handler: unknown command %+vgot %s for stream %d; expected CONTINUATION following %s for stream %dAbuse Reports allow you to submit take-down requests for URLs hoste...invalid number of arguments: got %d, need at least %d
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: ngrok tcp --remote-addr=1.tcp.ngrok.io:27210 3389The time when this host certificate becomes invalid, in RFC 3339 format. If unspecified, a default value of 24 hours will be used. The OpenSSH certificates RFC calls this valid_before.
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: The add-server-addr command modifies your configuration file to include
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: the next backend in the list until one is successful.Updates a TCP Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates a TLS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates an HTTPS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Defines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizing the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See the OpenSSH certificate protocol spec (https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys) for additional details.Updates an HTTPS Edge Route by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.API Keys are used to authenticate to the ngrok
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: -h, --help help for ngrok
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: -h, --help help for ngrok
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: Use "ngrok [command] --help" for more information about a command.
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: Use "ngrok [command] --help" for more information about a command.
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: --remote-addr option. ngrok requires that you reserve a TCP tunnel
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: set -l directive (string sub --start 2 $__%[1]s_perform_completion_once_result[-1])
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: align-items: flex-start;
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .glyphicon-stop:before {
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .has-success .input-group-addon {
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .has-warning .input-group-addon {
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .has-error .input-group-addon {
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .form-inline .input-group .input-group-addon,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-lg > .input-group-addon,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: select.input-group-lg > .input-group-addon,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: textarea.input-group-lg > .input-group-addon,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: select[multiple].input-group-lg > .input-group-addon,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-sm > .input-group-addon,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: select.input-group-sm > .input-group-addon,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: textarea.input-group-sm > .input-group-addon,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: select[multiple].input-group-sm > .input-group-addon,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-addon,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-addon:not(:first-child):not(:last-child),
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-addon {
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-addon.input-sm {
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-addon.input-lg {
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-addon input[type="radio"],
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-addon input[type="checkbox"] {
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-addon:first-child,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-addon:first-child {
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-addon:last-child,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .input-group-addon:last-child {
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .navbar-form .input-group .input-group-addon,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: .hljs-addition,
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: net/addrselect.go
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: github.com/pires/go-proxyproto@v0.7.0/addr_proto.go
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: google.golang.org/grpc@v1.63.0/internal/balancerload/load.go
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: go.ngrok.com/cmd/ngrok/config/load.go
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_common.go
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_no.go
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v1.go
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v2.go
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: go.ngrok.com/lib/web/manifest/loader.go
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: github.com/kentik/patricia@v1.2.0/address_v4.go
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: github.com/kentik/patricia@v1.2.0/address_v6.go
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeString found in binary or memory: golang.org/x/sys@v0.19.0/windows/svc/eventlog/install.go
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /K
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /KJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: samlib.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeSection loaded: samlib.dllJump to behavior
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeStatic file information: File size 29598952 > 1048576
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xa55200
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1078600
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeStatic PE information: section name: .xdata
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeBinary or memory string: X4xSOkS7vrOepX4JFNhqVdxut7pqEmuj1Xf7KhHtFquFM5fhLJHnWEJGWOTRbRVp
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe, 00000000.00000002.3380584783.0000024970EBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe, 00000003.00000002.2152832899.0000021965FE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXX
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeProcess information queried: ProcessInformationJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /KJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Process Injection		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe29%ReversingLabsWin64.Adware.RedCap

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
http://www.apache.org/licenses/0%URL Reputationsafe
https://getbootstrap.com/)0%URL Reputationsafe
http://www.opensource.org/licenses/mit-license.php0%URL Reputationsafe
http://www.gnu.org/licenses/gpl.html0%URL Reputationsafe
http://jedwatson.github.io/classnames0%URL Reputationsafe
http://www.eslinstructor.net/vkbeautify/0%Avira URL Cloudsafe
https://ngrok.com/tosAuto0%Avira URL Cloudsafe
https://www.ngrok.com0%Avira URL Cloudsafe
https://ngrok.com/docs/cloud-edge/endpoints#certificate-chains).Integer0%Avira URL Cloudsafe
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)0%Avira URL Cloudsafe
https://ngrok.com/tos0%Avira URL Cloudsafe
https://github.com/golang/protobuf/issues/1609):0%Avira URL Cloudsafe
https://dashboard.ngrok.com/api/keys)0%Avira URL Cloudsafe
https://ngrok.com/docs/cloud-edge/modules/webhook-verification)the0%Avira URL Cloudsafe
https://github.com/spf13/cobra/issues/15080%Avira URL Cloudsafe
http://creativecommons.org/publicdomain/zero/1.00%Avira URL Cloudsafe
https://ngrok.com/docs/errors/err_ngrok_80120%Avira URL Cloudsafe
https://ngrok.com/docs/cloud-edge/modules/webhook-verification0%Avira URL Cloudsafe
https://ngrok.com/docs/errorsfailed0%Avira URL Cloudsafe
https://dns.google.com/resolve?/tunnel_sessions/0%Avira URL Cloudsafe
https://ngrok.com/docs/cloud-edge/endpoints#private-keys).A0%Avira URL Cloudsafe
https://instrumentation-telemetry-intake.datadoghq.com/api/v2/apmtelemetryAddAttrs0%Avira URL Cloudsafe
https://ngrok.com/docs/api#authentication).0%Avira URL Cloudsafe
https://dashboard.ngrok.com/api.0%Avira URL Cloudsafe
http://crl.ngrok.com/ngrok.crl227373675443232059478759765625reflect:0%Avira URL Cloudsafe
https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css0%Avira URL Cloudsafe
http://fsf.org/0%Avira URL Cloudsafe
http://crl.ngrok-agent.com/ngrok.crlURL0%Avira URL Cloudsafe
https://github.com/twbs/bootstrap/blob/master/LICENSE)0%Avira URL Cloudsafe
https://github.com/spf13/cobra/issues/12790%Avira URL Cloudsafe
https://ngrok....Certificate0%Avira URL Cloudsafe
https://api.ngrok.comunsupported0%Avira URL Cloudsafe
http://mattn.mit-license.org/20130%Avira URL Cloudsafe
https://dashboard.ngrok.com/billing/subscription0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://ngrok.com/tosAutoSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • URL Reputation: safe
unknown
https://ngrok.com/docs/cloud-edge/modules/webhook-verification)theSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://www.ngrok.comSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe, 00000000.00000002.3374827412.000000C0000C0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe, 00000003.00000002.2151794288.000000C000572000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.apache.org/licenses/SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • URL Reputation: safe
unknown
https://ngrok.com/docs/cloud-edge/endpoints#certificate-chains).IntegerSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
http://www.eslinstructor.net/vkbeautify/SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://dashboard.ngrok.com/api/keys)SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://github.com/golang/protobuf/issues/1609):SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://ngrok.com/tosSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://getbootstrap.com/)SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • URL Reputation: safe
unknown
https://github.com/spf13/cobra/issues/1508SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://ngrok.com/docs/errors/err_ngrok_8012SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe, 00000003.00000002.2149736880.000000C0002A2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe, 00000003.00000002.2151794288.000000C000572000.00000004.00001000.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://ngrok.com/docs/cloud-edge/modules/webhook-verificationSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://dns.google.com/resolve?/tunnel_sessions/SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
http://creativecommons.org/publicdomain/zero/1.0SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://ngrok.com/docs/cloud-edge/endpoints#private-keys).ASecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
http://www.opensource.org/licenses/mit-license.phpSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • URL Reputation: safe
unknown
https://ngrok.com/docs/errorsfailedSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://ngrok.com/docs/api#authentication).SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://instrumentation-telemetry-intake.datadoghq.com/api/v2/apmtelemetryAddAttrsSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
http://crl.ngrok.com/ngrok.crl227373675443232059478759765625reflect:SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://dashboard.ngrok.com/api.SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
http://crl.ngrok-agent.com/ngrok.crlURLSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://github.com/twbs/bootstrap/blob/master/LICENSE)SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
http://www.gnu.org/licenses/gpl.htmlSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • URL Reputation: safe
unknown
https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.cssSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
http://fsf.org/SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://api.ngrok.comunsupportedSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://ngrok....CertificateSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
http://mattn.mit-license.org/2013SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
http://jedwatson.github.io/classnamesSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • URL Reputation: safe
unknown
https://github.com/spf13/cobra/issues/1279SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown
https://dashboard.ngrok.com/billing/subscriptionSecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exefalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1467826
Start date and time:2024-07-04 20:39:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 57s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe
Detection:MAL
Classification:mal52.winEXE@6/2@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe
File Type:GLS_BINARY_LSB_FIRST
Category:dropped
Size (bytes):160
Entropy (8bit):4.438743916256937
Encrypted:false
SSDEEP:3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:E467C82627F5E1524FDB4415AF19FC73
SHA1:B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:false
Reputation:moderate, very likely benign file
Preview:................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):5.650276292372597
TrID:
  • Win64 Executable Console (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe
File size:29'598'952 bytes
MD5:56d222d5febef9fb176df8c79d28c8ae
SHA1:e1e949d891ddb4039a7034eade86beaefc531d9e
SHA256:d1f800693df281cd68144d531f598c40b71b36138f4cc2655abdbf8d2990e92b
SHA512:c17fa988b3f5cd2e783f609cbb1909900aa19427f38ea587fcb372368b2793a561c0ae453b868f0f4a3a3fa6680ceccc2acd55a6f1da52add48bbd9fd3414694
SSDEEP:393216:/9ukPMFM+TZPLH7+hoj15mM5X1U/HXZnTZ2VdiF+A6PHsN:/skPMFMaPLqD
TLSH:85575A47F96440E8C5E9C135CA669212BF71BC888B3427D73B60F7686F76BD0AA79310
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........~........"......R.......... .........@...........................................`... ............................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x47b120
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:1
File Version Major:6
File Version Minor:1
Subsystem Version Major:6
Subsystem Version Minor:1
Import Hash:07361a3a7f515bf56ca93120b2aca73b

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 30/05/2024 02:00:00 28/08/2027 01:59:59
Subject Chain
  • E=support@ngrok.com, CN="Ngrok, Inc.", O="Ngrok, Inc.", L=San Diego, S=California, C=US
Version:3
Thumbprint MD5:CC5EDA008651FDA11F28615C7195CB79
Thumbprint SHA-1:7A54EB0D199484EB8CAEA931C90A744BCF02A7E0
Thumbprint SHA-256:DCD0CADC31F1510A6B56E2A76FD37B6D66E7A2B1B6016FA37FACE467F08F76B4
Serial:083A42D331C15FD98D28315D15D9E3F7

Entrypoint Preview

Instruction
jmp 00007F187CFF7640h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [01BD4CFAh]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F187CFFAF45h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F187D00659Bh

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x1ca10000x590.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x1cdb0000x228.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1c5f0000x40884.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x1c384000x20e8.data
IMAGE_DIRECTORY_ENTRY_BASERELOC0x1ca20000x37bc4.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1ad23400x190.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xa5514f0xa5520010cbf940d93ef34752cd2fd4aa6b9268unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0xa570000x10785580x10786005d478a7e6f03411dc4d0897b9540dd04unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x1ad00000x18eb500xf1200dfea557c31616964268f375da0e1f414False0.2453708203732504data4.117664800815608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x1c5f0000x408840x40a004229c4b4f3130ada4a147d6020a0b720False0.3964465969535783data5.698051072256148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata0x1ca00000xb40x2009426b63182379023a7b7c8245dbe6eadFalse0.220703125data1.7635806726373504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata0x1ca10000x5900x600ef11ed436732e46c7ef96f23c87f76adFalse0.3912760416666667data4.344582072740945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc0x1ca20000x37bc40x37c00ed3d03af5a7e935bc77143ded8cb393cFalse0.17344713424887892data5.4560178850684435IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab0x1cda0000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc0x1cdb0000x2280x4009f26b038e6da8617dfe7705463fe72aaFalse0.2802734375data1.8663270322878331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x1cdb0580x1ccdataEnglishUnited States0.5456521739130434

Imports

DLLImport
kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetThreadPriority, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateWaitableTimerA, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:40:01
Start date:04/07/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe"
Imagebase:0x770000
File size:29'598'952 bytes
MD5 hash:56D222D5FEBEF9FB176DF8C79D28C8AE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Go lang
Reputation:low
Has exited:false

General

Target ID:2
Start time:14:40:01
Start date:04/07/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:3
Start time:14:40:02
Start date:04/07/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe
Wow64 process (32bit):false
Commandline:C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.Ngrok.1.31677.21594.exe
Imagebase:0x770000
File size:29'598'952 bytes
MD5 hash:56D222D5FEBEF9FB176DF8C79D28C8AE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Go lang
Reputation:low
Has exited:true

General

Target ID:4
Start time:14:40:03
Start date:04/07/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /K
Imagebase:0x7ff78df20000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

No disassembly