Windows Analysis Report
ngrok.exe

Overview

General Information

Sample name: ngrok.exe
Analysis ID: 1546090
MD5: 2c106f3e8251521af24411b49012ec34
SHA1: 40e50a9a123d61c1e78e476cb82eca3c55d39e58
SHA256: 415895b622a53a04e39711a0a3d7bc3066598c736565257c192ade6233dd1f6d
Tags: exeuser-TuckerMurphy19
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly
Creates a process in suspended mode (likely to inject code)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ngrok.exe ReversingLabs: Detection: 23%
Source: ngrok.exe Static PE information: certificate valid
Source: ngrok.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49739
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49733
Source: ngrok.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ngrok.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ngrok.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ngrok.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ngrok.exe String found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0
Source: ngrok.exe String found in binary or memory: http://crl.ngrok-agent.com/ngrok.crlInvalid
Source: ngrok.exe String found in binary or memory: http://crl.ngrok.com/ngrok.crl227373675443232059478759765625reflect:
Source: ngrok.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ngrok.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ngrok.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ngrok.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ngrok.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ngrok.exe String found in binary or memory: http://fsf.org/
Source: ngrok.exe String found in binary or memory: http://jedwatson.github.io/classnames
Source: ngrok.exe String found in binary or memory: http://mattn.mit-license.org/2013
Source: ngrok.exe String found in binary or memory: http://ocsp.digicert.com0
Source: ngrok.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: ngrok.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: ngrok.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: ngrok.exe String found in binary or memory: http://www.apache.org/licenses/
Source: ngrok.exe String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ngrok.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: ngrok.exe String found in binary or memory: http://www.eslinstructor.net/vkbeautify/
Source: ngrok.exe String found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: ngrok.exe String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: ngrok.exe String found in binary or memory: https://api.ngrok.comagent
Source: ngrok.exe String found in binary or memory: https://dashboard.ngrok.com/api.
Source: ngrok.exe String found in binary or memory: https://dashboard.ngrok.com/api/keys)
Source: ngrok.exe String found in binary or memory: https://dashboard.ngrok.com/billing/subscription
Source: ngrok.exe String found in binary or memory: https://dashboard.ngrok.com/obs/traffic-inspector
Source: ngrok.exe String found in binary or memory: https://getbootstrap.com/)
Source: ngrok.exe String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: ngrok.exe String found in binary or memory: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css
Source: ngrok.exe String found in binary or memory: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)
Source: ngrok.exe String found in binary or memory: https://github.com/spf13/cobra/issues/1279
Source: ngrok.exe String found in binary or memory: https://github.com/spf13/cobra/issues/1508
Source: ngrok.exe String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: ngrok.exe String found in binary or memory: https://instrumentation-telemetry-intake.datadoghq.com/api/v2/apmtelemetryAddAttrs
Source: ngrok.exe String found in binary or memory: https://ngrok....Certificate
Source: ngrok.exe String found in binary or memory: https://ngrok.com/docs/api#authentication).
Source: ngrok.exe String found in binary or memory: https://ngrok.com/docs/cloud-edge/endpoints#certificate-chains).Integer
Source: ngrok.exe String found in binary or memory: https://ngrok.com/docs/cloud-edge/endpoints#private-keys).A
Source: ngrok.exe String found in binary or memory: https://ngrok.com/docs/cloud-edge/modules/webhook-verification
Source: ngrok.exe String found in binary or memory: https://ngrok.com/docs/cloud-edge/modules/webhook-verification)the
Source: ngrok.exe, 00000002.00000002.1687544880.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ngrok.com/docs/errors/err_ngrok_8012
Source: ngrok.exe String found in binary or memory: https://ngrok.com/docs/errorsfailed
Source: ngrok.exe String found in binary or memory: https://ngrok.com/tos
Source: ngrok.exe String found in binary or memory: https://ngrok.com/tosAuto
Source: ngrok.exe String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: ngrok.exe String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-K3RD62G
Source: ngrok.exe, 00000000.00000002.2924581364.000000C0005D4000.00000004.00001000.00020000.00000000.sdmp, ngrok.exe, 00000002.00000002.1694726269.000000C00050E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.ngrok.com
Source: ngrok.exe String found in binary or memory: https://www.notion.so/ngrok/FAQ-Builds-Bazel-a40e408a0e0f4c9b9613942221e30a32
Source: ngrok.exe Binary string: bindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard TimeMontevideo Standard TimeMagallanes Standard TimePacific SA Standard TimeAzerbaijan Standard TimeBangladesh Standard TimeNorth Asia Standard TimeCape Verde Standard Timeexpected float; found %sGot update major commandunknown region '%s' - %sCheck for update failed:timed out while updating/inspect/http/.+/requestapplication/octet-stream2006-01-02T15:04:05-0700log15: unknown level: %vMon Jan _2 15:04:05 2006text/html; charset=utf-8unexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sstream %d already openedConnContext returned nilRequest Entity Too Largehttp: nil Request.Headerhttps-edge-route-backendmodule.authorized-groupsresponse-headers.enabledoauth.inactivity-timeoutsaml.options-passthroughsaml.allow-idp-initiatedoidc.options-passthroughDelete an IP restrictionDelete a TLS certificatetls-edge-tls-terminationexec: Stdout already setexec: Stderr already setBuffer called after Scanerror decrypting messagecertificate unobtainableTLS_RSA_WITH_RC4_128_SHAtls: server rejected ECHjson: unsupported type: buffer closed previouslyTunnelV2IPRestrictedCodeAuthInvalidUserAgentCodeAPIInvalidCredentialCodeAPIInvalidTLSVersionCodeAPIInvalidIPPolicyIDCodeAPIInvalidEventFieldCodeBindUnsupportedProtoCodeBindIPPolicyNotExistCodeBindDomainUnderscoreCodeCredsDescrCharsLimitCodeSSHTunnelBadProtocolCodeSSHTunnelPortInvalidCodeIPPolicyRuleNotFoundCodeIPPolicyMissingParamCodeMwPolicyInvalidParseCodeMwRuntimeExplicitBanCodeAccountNotAuthorizedCodeMapNonexistentServerCodeHTMLDisallowedRegionCodeBannedAddrIDNotFoundCodeBackendWeightedLimitCodeBackendFailoverLimitCodeEdgeDeleteStillInUseCodeEdgeHeaderKeyInvalidCodeEdgeHeaderValInvalidCodeEdgeValidationErrorsCodeEdgeHostportNotFoundCodeEdgeInvalidPortRangeCodeEdgeRouteNoMatchExprCodeEdgeInvalidMatchTypeCodeEdgeOIDCScopeTooLongCodeDashClientInvalidARNCodeCorpClientInvalidARNCodeMFADeviceTypeInvalidCode [%d/%d from method '%s'failed to write response/abuse_reports/{{ .ID }}/certificate_authoritiesWaitToKillServiceTimeoutAllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWSetConsoleCursorPositionSetDefaultDllDirectoriesNtQuerySystemInformationSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceGetWindowThreadProcessIdduplicate %TAG directiveread handler must be setexceeded max depth of %dwhile scanning an anchorx509: malformed validityaddress string too shortsuccessful verify of CRL
Source: classification engine Classification label: mal52.winEXE@6/2@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
Source: ngrok.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ngrok.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ngrok.exe ReversingLabs: Detection: 23%
Source: ngrok.exe String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine terminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dll%!Weekday(short read --%sint32Sliceint64Slice<no value>value for arg %d: %wChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtraForwardingconnectingerror.htmldisconnecttunnelNameUser-Agent/static/.+vendor.css.localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = ConnectionKeep-Alivelocal-addrimage/webpimage/jpegaudio/aiffaudio/mpegaudio/midiaudio/wavevideo/webmfont/woff2RST_STREAMEND_STREAMSet-Cookiebytes */%d stream=%dset-cookieuser-agentkeep-alive:authorityconnectionequivalentHost: %s
Source: ngrok.exe String found in binary or memory: assets/tls/Interactivesechost.dllversion.dllGetFileTimeSetCommMaskVirtualFreeNetUserEnumCoGetObjectEnumWindowsMessageBoxWToUnicodeExmapping endyYnNtTfFoO~!!timestamphost-headercompressionoauth-scopepolicy-fileremote-addrinvalid oidnext_updategocachehashgocachetestarchive/tarcrypto/x509archive/zipparse errorexpected :=empty fieldInstCaptureInstRuneAny[:^xdigit:]<invalid opSystemDriveProgramDatamin_versiongot requestcannot copyCERTIFICATEcontextmenucrossoriginformenctypeplaceholder_eval_args_\x3C/scriptdevelopmentMARTINI_ENVgrpc-statuspassthroughgrpc.Server"CANCELLED""NOT_FOUND""DATA_LOSS"UnavailableUNAVAILABLEpb.db_codec> in space ReportFaultuser_facingerror.stackhttp.methodhttp.flavorClassHESIODauthoritiesadditionalsIn-Reply-ToReturn-Pathhttps_proxyBernoullis;CirclePlus;EqualTilde;Fouriertrf;ImaginaryI;Laplacetrf;LeftVector;Lleftarrow;NotElement;NotGreater;Proportion;RightArrow;RightFloor;Rightarrow;TildeEqual;TildeTilde;UnderBrace;UpArrowBar;UpTeeArrow;circledast;complement;curlywedge;eqslantgtr;gtreqqless;lessapprox;lesseqqgtr;lmoustache;longmapsto;mapstodown;mapstoleft;nLeftarrow;nleftarrow;precapprox;rightarrow;rmoustache;sqsubseteq;sqsupseteq;subsetneqq;succapprox;supsetneqq;upuparrows;varepsilon;varnothing;ThickSpace;nsubseteqq;nsupseteqq;nanosecondsalloc_space# Sys = %d
Source: ngrok.exe String found in binary or memory: ; EXPIRE: ;; opcode: AUTHORITY: Fixed32KindFixed64KindMessageKindnested_typeoneof_indexallow_aliasoutput_typejson_formatdeclarationStatusCode(NOT_SERVINGChannel #%d{Addr: %q, Closing: %vGrpc-Statusround_robinnot allowedlast minuteDECLARATION"-Infinity"timestamptzsslrootcert READ WRITEpostgres://15:04:05-07.postgresqltransactioninvalid: %vmutex.pprofblock.pprofMachineGuidProductNamehttp.schemehttp.targetnet.host.ipnet.peer.ipavx512vnniwavx512vbmi2_INT2VECTORTIMESTAMPTZPG_DATABASEREGOPERATORANYNONARRAYFDW_HANDLERTSM_HANDLERCGO_ENABLED0x[0-9a-f]+do_memaligntc_memaligntc_newarrayruntime\..*_M_allocatepprof::baseapp-startedapp-closingBackupWriteFieldRangesFileImportsCardinalityHasJSONNameHasPresenceIsExtensionfallthroughapi.pricingautoscalingcloudsearchcognito-idpdevops-guruelasticacheiotsitewiseiotwirelessivsrealtimeopsworks-cmpersonalizerekognitionruntime.lexs3-outpostssecurityhubvoice-chimevpc-latticeUS ISO EastUS ISO WEST^([^:]+)://<sensitive>Content-Md5,omitempty,<panic: %s>exit status can't happenthis commandversion for Subcommand 'write-reportgoogle_httpsResolver: %sHostname: %sConnectivity%s [command]usageExamplecommand_lineSet '%s: %s'socks5_proxysocks5-proxyterminate-athttp://%s:80api_base_url152587890625762939453125short buffer has no name has no typereflect.Copyinvalid pathOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFileExVirtualQueryadvapi32.dlliphlpapi.dllkernel32.dllnetapi32.dllsweepWaiterstraceStringsspanSetSpinemspanSpecialtraceTypeTabgcBitsArenasmheapSpecialgcpacertraceharddecommitmadvdontneeddumping heapchan receivelfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (
Source: ngrok.exe String found in binary or memory: [0m=%s.in-addr.arpa.unknown mode: Content-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMbytes %d-%d/%dERR_UNKNOWN_%daccept-charsetcontent-lengthfirst_settingsping_on_streamtrailers_bogusread_frame_eof{$} not at endempty wildcardinvalid methodparsing %q: %wunknown error unknown code: Not Acceptablemodule.enabledoidc.client-idtraffic-policyreserved-addrscertificate-idelliptic-curvestatic-address
Source: ngrok.exe String found in binary or memory: Operation ID: %sNgrok-Operation-Id/backends/failover/backends/weighted/tunnels/{{ .ID }}assets/BUILD.bazelassets/credits.txtassets/static/css/CM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSubAuthorityMakeSelfRelativeSDCertGetNameStringWCryptUnprotectDataPFXImportCertStoreGetBestInterfaceExClosePseudoConsoleEscapeCommFunctionGetCommModemStatusGetConsoleOutputCPGetCurrentThreadIdGetModuleHandleExWGetVolumePathNameWRemoveDllDirectorySetConsoleOutputCPTerminateJobObjectWriteProcessMemoryEnumProcessModulesGetModuleBaseNameWtag:yaml.org,2002:oauth-allow-domainoidc app client idoidc-client-secretrequest-header-addx509negativeserialunable to parse IPnetip.ParsePrefix(error fetching CRLcannot be negativeflag %q contains =flag redefined: %s[^\x00-\x{10FFFF}]less than a minuteleft join finishedapp://%s/%s?pid=%dtext/javascript1.0text/javascript1.1text/javascript1.2text/javascript1.3text/javascript1.4text/javascript1.5half join completeSubchannel createdSubchannel deletedunknown service %vServer.Stop called"INVALID_ARGUMENT"FailedPreconditionRESOURCE_EXHAUSTEDpb.gen_with_suffixexpected element <invalid XML name: Proxy-AuthenticateRCodeServerFailuredecoding error: %vDoubleUpDownArrow;DoubleVerticalBar;DownLeftTeeVector;DownLeftVectorBar;FilledSmallSquare;GreaterSlantEqual;LeftDoubleBracket;LeftDownTeeVector;LeftDownVectorBar;LeftTriangleEqual;NegativeThinSpace;NotReverseElement;NotTildeFullEqual;RightAngleBracket;RightUpDownVector;SquareSubsetEqual;VerticalSeparator;blacktriangledown;blacktriangleleft;leftrightharpoons;rightleftharpoons;twoheadrightarrow;NotGreaterGreater;NotLessSlantEqual;NotNestedLessLess;NotSquareSuperset;# TotalAlloc = %d
Source: ngrok.exe String found in binary or memory: /api_keys/{{ .ID }}/event_destinationsFailed to %s %v: %vQueryServiceConfigWCreatePseudoConsoleDisconnectNamedPipeGetDiskFreeSpaceExWGetLargePageMinimumGetOverlappedResultGetSystemDirectoryWResizePseudoConsoleRtlAddFunctionTableGetForegroundWindowLoadKeyboardLayoutWGetFileVersionInfoWWSALookupServiceEndwhile parsing a tagoauth-client-secretresponse-header-addtraffic-policy-fileinvalid URL escape missing ']' in hostx509: malformed OIDx509: trailing datax509: unknown error too large for IPv4 too large for IPv6file already existsfile does not existfile already closedmultipartmaxheadersunclosed left parenunknown branch typetemplate: %s:%d: %sunexpected %s in %sRUNEWIDTH_EASTASIANWriteConsoleOutputWXDG_PUBLICSHARE_DIRright join finishedcannot reset bufferNo update availableBad hex digit in %qno such template %qapplication/ld+jsongoogle.protobuf.AnyBasic realm="ngrok"Prerelease is emptyrequest body closedRegisterService(%q)"DEADLINE_EXCEEDED""PERMISSION_DENIED"FAILED_PRECONDITIONpb/extensions.protopb.cli_pretty_printzero length segmentRCodeNotImplementedmime: no media typebinary.LittleEndianevictCount overflowDownRightTeeVector;DownRightVectorBar;LongLeftRightArrow;Longleftrightarrow;NegativeThickSpace;PrecedesSlantEqual;ReverseEquilibrium;RightDoubleBracket;RightDownTeeVector;RightDownVectorBar;RightTriangleEqual;SquareIntersection;SucceedsSlantEqual;blacktriangleright;longleftrightarrow;NotLeftTriangleBar;parsing profile: %w#%#x%s+%#x%s:%d
Source: ngrok.exe String found in binary or memory: unknown address type command not supportedPrecondition RequiredInternal Server ErrorCreate a new bot userdelete <edge-id> <id>module.rolling-windowhttps-edge-route-oidchttps-edge-route-samlsaml.maximum-durationoidc.maximum-durationsaml.idp-metadata-urlupdate <edge-id> <id>target.datadog.ddtagstarget.datadog.ddsitestatus code to returnhttps-edge-mutual-tlsssh-host-certificatesssh-user-certificatesexec: already startedbufio: negative countdecompression failureunsupported extensionX25519Kyber768Draft00after top-level valuein string escape codeflow control violatedAuthImproperTokenCodeAPIInvalidVersionCodeAPIMissingVersionCodeBindAnonSubdomainCodeBindWildcardMatchCodeBindHostportInUseCodeBindDomainTooLongCodeReservedAddrLimitCodeMuxBadHTTPRequestCodeMuxRequestTimeoutCodeBillingEmailLimitCodeDashNoGoogleLoginCodeDashSignupBlockedCodeCertsDNS01NSCountCodeAccountsNameEmptyCodeUsersEmailInvalidCodeAbuseTCPIPUnknownCodeEvsubInvalidFieldCodeBackendNotAllowedCodeEdgeLimitExceededCodeEdgeAuthExclusionCodeAgentIPV6DisabledCodeMFADeviceNotFoundCodefailed to deserializeInvalid log level: %wassets/BUILD.bazel.inCM_Get_DevNode_StatusChangeServiceConfig2WDeregisterEventSourceEnumServicesStatusExWGetNamedSecurityInfoWSetNamedSecurityInfoWDwmGetWindowAttributeDwmSetWindowAttributeGetVolumeInformationWNtCreateNamedPipeFileSetupDiEnumDeviceInfoSetupUninstallOEMInfWWSALookupServiceNextWWTSEnumerateSessionsWinvalid emitter stateexpected STREAM-STARTexpected DOCUMENT-ENDcannot marshal type: write handler not setverify-webhook-secretrequest-header-removeinvalid NumericStringx509: invalid versionIPv4 address too longunexpected slice sizeerror parsing CRL URLfailed to verify CRL:CRL out of date at %sflag %q begins with -record on line %d: %vbad number syntax: %qundefined variable %qinvalid named captureGetCurrentConsoleFontno more state changesinvalid tunnel configat range loop break: message_set_extensionlistening on %s (%s)
Source: ngrok.exe String found in binary or memory: Run '%v --help' for usage.
Source: ngrok.exe String found in binary or memory: Run '%v --help' for usage.
Source: ngrok.exe String found in binary or memory: Invalid URL for json_resolver_url142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length sync: RUnlock of unlocked RWMutexskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangetoo many levels of symbolic linksInitializeProcThreadAttributeListwaiting for unsupported file typebytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whenceflag accessed but not defined: %sunknown shorthand flag: %q in -%sflag needs an argument: %q in -%s%s must be formatted as key=valueincompatible types for comparisoncannot index slice/array with nilFailed to initialize terminal: %wForwarding was restarted due to: disabled updater should never runchecking for updates periodicallyUpdate to version %s successful!
Source: ngrok.exe String found in binary or memory: Invalid URL for json_resolver_url142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length sync: RUnlock of unlocked RWMutexskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangetoo many levels of symbolic linksInitializeProcThreadAttributeListwaiting for unsupported file typebytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whenceflag accessed but not defined: %sunknown shorthand flag: %q in -%sflag needs an argument: %q in -%s%s must be formatted as key=valueincompatible types for comparisoncannot index slice/array with nilFailed to initialize terminal: %wForwarding was restarted due to: disabled updater should never runchecking for updates periodicallyUpdate to version %s successful!
Source: ngrok.exe String found in binary or memory: save authtoken to configuration fileWrapper limit cannot be less than 1.Error creating directory for report:TCP tunnel %s cannot inspect trafficuser supplied name for this endpointTLS tunnel %s cannot inspect traffichttp://crl.ngrok-agent.com/ngrok.crlInvalid IP in dns_resolver_ips: '%s'URL scheme must be 'http' or 'https'444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignreflect.Value.Equal: values of type lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: ngrok.exe String found in binary or memory: save authtoken to configuration fileWrapper limit cannot be less than 1.Error creating directory for report:TCP tunnel %s cannot inspect trafficuser supplied name for this endpointTLS tunnel %s cannot inspect traffichttp://crl.ngrok-agent.com/ngrok.crlInvalid IP in dns_resolver_ips: '%s'URL scheme must be 'http' or 'https'444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignreflect.Value.Equal: values of type lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: ngrok.exe String found in binary or memory: runtime: bad notifyList size - sync=accessed data from freed user arena runtime: wrong goroutine in newstackruntime: invalid pc-encoded table f=accessing a corrupted shared libraryTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionexceeded maximum template depth (%v)%s is not a method but has argumentsinternal error: associate not commonconnect.us-cal-1.ngrok-agent.com:443connect.eu-lon-1.ngrok-agent.com:443x-ngrok-rehydrate-enriched-error-argcan't apply '%T' to %s configurationauto update is enabled, apply updatehttp: no Location header in responsehttp: unexpected EOF reading trailerhttp: invalid byte %q in Cookie.Path LastStreamID=%v ErrCode=%v Debug=%qhttp2: server rejecting conn: %v, %sHeader called after Handler finishedRoundTrip retrying after failure: %vJanFebMarAprMayJunJulAugSepOctNovDecno acceptable authentication methodsGet the details of an API key by ID.Delete an application session by ID.Get the details of a Bot User by ID.raw PEM of the Certificate Authoritymodule.provider.github.client-secretmodule.provider.github.email-domainsmodule.provider.github.organizationsmodule.provider.google.client-secretmodule.provider.google.email-domainsmodule.provider.gitlab.client-secretmodule.provider.gitlab.email-domainsmodule.provider.twitch.client-secretmodule.provider.twitch.email-domainsmodule.provider.amazon.client-secretmodule.provider.amazon.email-domainsmutual-tls.certificate-authority-idsThe ID portion of an AWS access key.target.cloudwatch-logs.log-group-arnService name to send with the event.Client ID for the application clientList all IP policies on this accountexpected an ECDSA public key, got %TTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAtls: keys must have at least one keyunsupported SSLv2 handshake receivedtls: server did not send a key sharejson: encoding error for type %q: %qAPIInvalidCertificateAuthorityIDCodeAPIInvalidEventDestinationFormatCodeAPIInvalidEventDestinationTargetCodeBindAgentRequestHeaderAddInvalidCodeBindAgentHeaderKeyLengthExceededCodeBindAgentHeaderValLengthExceededCodeBindLabeledTunnelACLNotSupportedCodeReservedDomainNonLeadingWildcardCodeReservedDomainGaugeLimitExceededCodeReservedDomainNameDomainConflictCodeReservedAddressRateLimitExceededCodeMuxHTTPRequestsRateLimitExceededCodeBillingEmailAddressInvalidLengthCodeBillingAddressGaugeLimitExceededCodeEndpointConfigurationTypeInvalidCodeCertsInvalidDomainAlreadyManagedCodeCertsSSHUnsupportedPublicKeyTypeCodeCertsSSHUserCertNegativeDurationCodeCertsSSHHostCertNegativeDurationCodeMwCompileOAuthInvalidEmailDomainCodeMwPolicyInvalidActionConfigValueCodeMwPolicyHeaderValueLengthInvalidCodeMwPolicyCompressInvalidAlgorithmCodeMwPolicyInvalidIPPolicyReferenceCodeMwPolicyFieldNotUserConfigurableCodeMwPolicyInvalidConfigValueNotUrlCodeMwRuntimeOAuthUserActionRequiredCodeEventDestina
Source: ngrok.exe String found in binary or memory: http: putIdleConn: keep alives disabledusername/password authentication failedcertificate-management-policy.authorityList all API keys owned by this accountmodule.provider.microsoft.client-secretmodule.provider.microsoft.email-domainsoauth.provider.facebook.email-addressesoauth.provider.linkedin.email-addressesUpdate attributes of an IP policy by IDexec: environment variable contains NULtls: unsupported certificate curve (%s)TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256tls: internal error: wrong nonce lengthno mutually supported protocol versionschain is not signed by an acceptable CACredsCredentialMembershipIsInactiveCodeCredsCannotDeleteDefaultTunnelTokenCodeMuxIncomingTrafficRateLimitExceededCodeMuxOutgoingTrafficRateLimitExceededCodeMuxConnectionsPerMonthLimitExceededCodeSSHTunnelHostnameSubdomainExclusiveCodeEndpointConfigurationInvalidRequestCodeEndpointConfigurationOAuthEmptyTeamCodeEndpointConfigurationCADoesNotExistCodeEndpointConfigurationDescCharsLimitCodeEndpointConfigurationMetaCharsLimitCodeEndpointConfigurationMutualTLSNotCACodeCertsCertificateInsteadOfPrivateKeyCodeCertsPrivateKeyInsteadOfCertificateCodeCertsSSHCAEllipticCurveNotSupportedCodeMwCompileTLSInvalidHandshakeTimeoutCodeMwCompileUserSessionInvalidSameSiteCodeMwRuntimeOAuthUserResourceForbiddenCodeMwRuntimeJWTValidationPrefixMissingCodeEmailConfirmationsResendRateLimitedCodeEventDestinationInvalidARNPartitionCodeFederatedIdPOIDCTokenExchangeFailedCodeFederatedIdPOIDCConfigurationAbsentCodeFederatedIdPOAuthInvalidEmailDomainCodeEndpointResolverCloudTunnelConflictCodeBackendHTTPResponseHeaderKeyInvalidCodeMembershipsSetPermissionsDisallowedCodeMembershipsSetActiveDisallowedAdminCodeEdgeInvalidCircuitBreakerNumBucketsCodeEdgeOAuthInvalidPunycodeEmailDomainCodeEdgeSessionInactivityTimeoutTooHighCodeEdgeAccountNotAuthorizedCompressionCodeEdgeJWTValidationHttpTokenDuplicateCodeCloudEndpointSchemeChangeDisallowedCodeCloudEndpointURLResourceNotReservedCodesession closed, starting reconnect loop/reserved_domains/{{ .ID }}/certificateassets/local/tls/trusted.root.local.crtassets/local/tls/trusted.root.stage.crtRtlDosPathNameToNtPathName_U_WithStatuscannot decode node with unknown kind %dunknown problem generating YAML contentcannot marshal invalid UTF-8 data as %scannot encode node with unknown kind %dfound an incorrect trailing UTF-8 octetdid not find expected hexdecimal numberx509: invalid subject alternative namesx509: invalid NameConstraints extensionx509: failed to parse URI constraint %qmath/big: buffer too small to fit valuex509: unknown EC private key version %d because it doesn't contain any IP SANsx509: signing with MD5 is not supportedIPv4 field must have at least one digitextraneous or missing " in quoted-fieldcsv: invalid field or comment delimitermissing argument to repetition operatortrailing backslash at end of expressionproxyproto: can't read version 1 headermartini handler must be a callable f
Source: ngrok.exe String found in binary or memory: Specified region is not in the known seterrors: target must be a non-nil pointer13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 called with negative precreflect: FieldByName of non-struct type reflect.Value.Call: call of nil functionreflect.Value.Call: wrong argument countattempted to copy pointer to FP registerMapIter.Key called on exhausted iteratorreflect.Value.SetBytes of non-byte slicereflect.Value.setRunes of non-rune sliceinvalid span in heapArena for user arenabulkBarrierPreWrite: unaligned argumentsruntime: typeBitsBulkBarrier with type refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedstopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2address family not supported by protocoltime: Stop called on uninitialized Timertimeout while trying to apply the updateTunnel declaration must contain a 'name'Policy is one of: 'always', 'only_minor'http2: timeout awaiting response headersFrame accessor called on non-owned Frameinternal error: expecting non-nil streamrequest header %q is not valid in HTTP/2http2: Transport encoding header %q = %qprotocol error: headers after END_STREAMwriteData(stream=%d, p=%d, endStream=%v)host contains '{' (missing initial '/'?)bad wildcard segment (must end with '}')backend to be used to back this endpointmodule.provider.facebook.email-addressesmodule.provider.linkedin.email-addresseshttps-edge-route-websocket-tcp-converteroauth.provider.microsoft.email-addressesList all active endpoints on the accountThe secret portion of an AWS access key.Client Secret for the application clientList this Account's Event Subscriptions.List all IP policy rules on this accountList all IP restrictions on this accountList all ssh credentials on this accountList all static backends on this accountclient doesn't support certificate curveoversized record received with length %dtls: received empty certificates messagetls: client didn't provide a certificateBindTunnelAnonymousRateLimitExceededCodeReservedDomainChallengeCNAMENotFoundCodeReservedDomainRegionChangeNotAllowedCodeReservedAddrInvalidConfigurationTypeCodeMuxHTTPRequestsPerMonthLimitExceededCodeTunnelV2OperationCommunicationFailedCodeMaintenanceSomeOperationsUnavailableCodeEndpointConfigurationOAuthEmptyGroupCodeIPRestrictionAccountNotAuthorizedAPICodeMwCompileBasicAuthRealmLengthInvalidCodeMwCompileHTTPHeaderNameLengthInvalidCodeMwCompileUserAgentFilterInvalidRegexCodeMwPolicyActionFailedConfigResolutionCodeMwRuntimeOAuthUserMissingPermissionsCodeMwRuntimeOAuthProviderAPIUnavailableCodeMwRuntimeFederatedAuthCookieNotFoundCode
Source: ngrok.exe String found in binary or memory: Use: stop <id>tls: internal error: sending non-handshake message to QUIC transportEndpointConfigurationCircuitBreakerThresholdPercentageOutOfRangeCodeexpected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vembedded IPv4 address must replace the final 2 fields of the addressinvalid retry throttling config: tokenRatio (%v) may not be negative2695994666715063979466701508701963067355791626002630814351006629888126959946667150639794667015087019625940457807714424391721682722368061crypto/hmac: hash generation function does not produce unique valuesinvalid proto.Message(%T) type, expected a protoreflect.Message typebig: invalid 2nd argument to Int.Jacobi: need odd integer but got %sexpected a JSON struct with one entry; received entry %v at index %dChannelz: socket options are not supported on non-linux environmentscannot assign %v, needed to assign %d elements, but only assigned %dpq: Could not detect default username. Please provide one explicitlyinvalid descriptor: using edition features in a proto with syntax %sextension %v does not implement protoreflect.ExtensionTypeDescriptorYou must specify -config with the path to an ngrok configuration fileYou may not specify both 'region' and 'server_addr' at the same time.Connect timeout must be a positive time duration, e.g. '10s', '500ms'reflect: embedded interface with unexported method(s) not implementedruntime.Pinner: found leaking pinned pointer; forgot to call Unpin()?http2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)%s matches more methods than %s, but has a more specific path pattern%s matches fewer methods than %s, but has a more general path patternarbitrary user-defined data of this API key. optional, max 4096 bytesAdd an additional type for which this event subscription will triggertls: peer doesn't support the certificate custom signature algorithmstls: handshake message of length %d bytes exceeds maximum of %d bytestls: client certificate contains an unsupported public key of type %Ttoo many hex fields to fit an embedded IPv4 at the end of the addressinternal/concurrent.HashMapTrie: ran out of hash bits while iteratinginternal/concurrent.HashMapTrie: ran out of hash bits while insertingNetPrefix IP had a length of %d where a length of 4 or 16 is requiredparam: error parsing key %q: unknown field %q on struct %q of type %vedwards25519: internal error: setShortBytes called with a long stringheap profile: *(\d+): *(\d+) *\[ *(\d+): *(\d+) *\] @ fragmentationz?You may not specify any endpoint or tunnel names with the --all switchpath to TLS certificate authority to verify client certs in mutual tlsFile tunnel %s encountered an error validating directory path '%s': %vsync/atomic: compare and swap of inconsistently typed value into Valuebytes.Buffer: UnreadByte: previous operation was not a successful readinexhaustive case match in server command handler: unknown command %+vgot %s for stream %d; expected CONTINUATION following %s for stream %dAbuse Reports allow you to s
Source: ngrok.exe String found in binary or memory: the next backend in the list until one is successful.Updates a TCP Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates a TLS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates an HTTPS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Defines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizing the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See the OpenSSH certificate protocol spec (https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys) for additional details.Updates an HTTPS Edge Route by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.API Keys are used to authenticate to the ngrok
Source: ngrok.exe String found in binary or memory: -h, --help help for ngrok
Source: ngrok.exe String found in binary or memory: -h, --help help for ngrok
Source: ngrok.exe String found in binary or memory: Use "ngrok [command] --help" for more information about a command.
Source: ngrok.exe String found in binary or memory: Use "ngrok [command] --help" for more information about a command.
Source: ngrok.exe String found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: ngrok.exe String found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: ngrok.exe String found in binary or memory: set -l directive (string sub --start 2 $__%[1]s_perform_completion_once_result[-1])
Source: ngrok.exe String found in binary or memory: align-items: flex-start;
Source: ngrok.exe String found in binary or memory: .glyphicon-stop:before {
Source: ngrok.exe String found in binary or memory: .has-success .input-group-addon {
Source: ngrok.exe String found in binary or memory: .has-warning .input-group-addon {
Source: ngrok.exe String found in binary or memory: .has-error .input-group-addon {
Source: ngrok.exe String found in binary or memory: .form-inline .input-group .input-group-addon,
Source: ngrok.exe String found in binary or memory: .input-group-lg > .input-group-addon,
Source: ngrok.exe String found in binary or memory: select.input-group-lg > .input-group-addon,
Source: ngrok.exe String found in binary or memory: textarea.input-group-lg > .input-group-addon,
Source: ngrok.exe String found in binary or memory: select[multiple].input-group-lg > .input-group-addon,
Source: ngrok.exe String found in binary or memory: .input-group-sm > .input-group-addon,
Source: ngrok.exe String found in binary or memory: select.input-group-sm > .input-group-addon,
Source: ngrok.exe String found in binary or memory: textarea.input-group-sm > .input-group-addon,
Source: ngrok.exe String found in binary or memory: select[multiple].input-group-sm > .input-group-addon,
Source: ngrok.exe String found in binary or memory: .input-group-addon,
Source: ngrok.exe String found in binary or memory: .input-group-addon:not(:first-child):not(:last-child),
Source: ngrok.exe String found in binary or memory: .input-group-addon {
Source: ngrok.exe String found in binary or memory: .input-group-addon.input-sm {
Source: ngrok.exe String found in binary or memory: .input-group-addon.input-lg {
Source: ngrok.exe String found in binary or memory: .input-group-addon input[type="radio"],
Source: ngrok.exe String found in binary or memory: .input-group-addon input[type="checkbox"] {
Source: ngrok.exe String found in binary or memory: .input-group-addon:first-child,
Source: ngrok.exe String found in binary or memory: .input-group-addon:first-child {
Source: ngrok.exe String found in binary or memory: .input-group-addon:last-child,
Source: ngrok.exe String found in binary or memory: .input-group-addon:last-child {
Source: ngrok.exe String found in binary or memory: .navbar-form .input-group .input-group-addon,
Source: ngrok.exe String found in binary or memory: .hljs-addition,
Source: ngrok.exe String found in binary or memory: net/addrselect.go
Source: ngrok.exe String found in binary or memory: github.com/pires/go-proxyproto@v0.7.0/addr_proto.go
Source: ngrok.exe String found in binary or memory: google.golang.org/grpc@v1.65.0/internal/balancerload/load.go
Source: ngrok.exe String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load.go
Source: ngrok.exe String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v3.go
Source: ngrok.exe String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_common.go
Source: ngrok.exe String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v1.go
Source: ngrok.exe String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v2.go
Source: ngrok.exe String found in binary or memory: go.ngrok.com/lib/web/manifest/loader.go
Source: ngrok.exe String found in binary or memory: github.com/kentik/patricia@v1.2.1/address_v4.go
Source: ngrok.exe String found in binary or memory: github.com/kentik/patricia@v1.2.1/address_v6.go
Source: ngrok.exe String found in binary or memory: golang.org/x/sys@v0.26.0/windows/svc/eventlog/install.go
Source: C:\Users\user\Desktop\ngrok.exe File read: C:\Users\user\Desktop\ngrok.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ngrok.exe "C:\Users\user\Desktop\ngrok.exe"
Source: C:\Users\user\Desktop\ngrok.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ngrok.exe Process created: C:\Users\user\Desktop\ngrok.exe C:\Users\user\Desktop\ngrok.exe
Source: C:\Users\user\Desktop\ngrok.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /K
Source: C:\Users\user\Desktop\ngrok.exe Process created: C:\Users\user\Desktop\ngrok.exe C:\Users\user\Desktop\ngrok.exe Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /K Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Section loaded: samlib.dll Jump to behavior
Source: ngrok.exe Static PE information: certificate valid
Source: ngrok.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: ngrok.exe Static file information: File size 27581664 > 1048576
Source: ngrok.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xaa0c00
Source: ngrok.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xe3f800
Source: ngrok.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: ngrok.exe Static PE information: section name: .xdata
Source: ngrok.exe Static PE information: section name: .symtab
Source: C:\Users\user\Desktop\ngrok.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: ngrok.exe Binary or memory string: X4xSOkS7vrOepX4JFNhqVdxut7pqEmuj1Xf7KhHtFquFM5fhLJHnWEJGWOTRbRVp
Source: ngrok.exe, 00000002.00000002.1695921317.000002545781D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllddS
Source: ngrok.exe, 00000000.00000002.2926123585.000002A69C57C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllffSdP
Source: C:\Users\user\Desktop\ngrok.exe Process information queried: ProcessInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ngrok.exe Process created: C:\Users\user\Desktop\ngrok.exe C:\Users\user\Desktop\ngrok.exe Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /K Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ngrok.exe Queries volume information: C:\Users\user\Desktop\ngrok.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe Queries volume information: C:\Users\user\Desktop\ngrok.exe VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546090 Sample: ngrok.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 52 14 Multi AV Scanner detection for submitted file 2->14 16 Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly 2->16 6 ngrok.exe 1 2->6         started        process3 process4 8 ngrok.exe 1 6->8         started        10 conhost.exe 6->10         started        12 cmd.exe 1 6->12         started       
No contacted IP infos