Edit tour

Windows Analysis Report
ngrok.exe

Overview

General Information

Sample name:	ngrok.exe
Analysis ID:	1546090
MD5:	2c106f3e8251521af24411b49012ec34
SHA1:	40e50a9a123d61c1e78e476cb82eca3c55d39e58
SHA256:	415895b622a53a04e39711a0a3d7bc3066598c736565257c192ade6233dd1f6d
Tags:	exeuser-TuckerMurphy19
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly

Creates a process in suspended mode (likely to inject code)

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64

ngrok.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\ngrok.exe" MD5: 2C106F3E8251521AF24411B49012EC34)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ngrok.exe (PID: 2536 cmdline: C:\Users\user\Desktop\ngrok.exe MD5: 2C106F3E8251521AF24411B49012EC34)

cmd.exe (PID: 3068 cmdline: cmd.exe /K MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Sigma Signatures

System Summary

Sigma detected: Cmd.EXE Missing Space Characters Execution Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /K, CommandLine: cmd.exe /K, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ngrok.exe", ParentImage: C:\Users\user\Desktop\ngrok.exe, ParentProcessId: 7128, ParentProcessName: ngrok.exe, ProcessCommandLine: cmd.exe /K, ProcessId: 3068, ProcessName: cmd.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T13:52:19.134507+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.4	49733	TCP
2024-10-31T13:52:58.002166+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.4	49739	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ngrok.exe

ReversingLabs: Detection: 23%

Source: ngrok.exe

Static PE information: certificate valid

Source: ngrok.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49733

Source: ngrok.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ngrok.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ngrok.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ngrok.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ngrok.exe	String found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0
Source: ngrok.exe	String found in binary or memory: http://crl.ngrok-agent.com/ngrok.crlInvalid
Source: ngrok.exe	String found in binary or memory: http://crl.ngrok.com/ngrok.crl227373675443232059478759765625reflect:
Source: ngrok.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ngrok.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ngrok.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ngrok.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ngrok.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: ngrok.exe	String found in binary or memory: http://fsf.org/
Source: ngrok.exe	String found in binary or memory: http://jedwatson.github.io/classnames
Source: ngrok.exe	String found in binary or memory: http://mattn.mit-license.org/2013
Source: ngrok.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: ngrok.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: ngrok.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: ngrok.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: ngrok.exe	String found in binary or memory: http://www.apache.org/licenses/
Source: ngrok.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ngrok.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: ngrok.exe	String found in binary or memory: http://www.eslinstructor.net/vkbeautify/
Source: ngrok.exe	String found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: ngrok.exe	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: ngrok.exe	String found in binary or memory: https://api.ngrok.comagent
Source: ngrok.exe	String found in binary or memory: https://dashboard.ngrok.com/api.
Source: ngrok.exe	String found in binary or memory: https://dashboard.ngrok.com/api/keys)
Source: ngrok.exe	String found in binary or memory: https://dashboard.ngrok.com/billing/subscription
Source: ngrok.exe	String found in binary or memory: https://dashboard.ngrok.com/obs/traffic-inspector
Source: ngrok.exe	String found in binary or memory: https://getbootstrap.com/)
Source: ngrok.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: ngrok.exe	String found in binary or memory: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css
Source: ngrok.exe	String found in binary or memory: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)
Source: ngrok.exe	String found in binary or memory: https://github.com/spf13/cobra/issues/1279
Source: ngrok.exe	String found in binary or memory: https://github.com/spf13/cobra/issues/1508
Source: ngrok.exe	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: ngrok.exe	String found in binary or memory: https://instrumentation-telemetry-intake.datadoghq.com/api/v2/apmtelemetryAddAttrs
Source: ngrok.exe	String found in binary or memory: https://ngrok....Certificate
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/docs/api#authentication).
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/docs/cloud-edge/endpoints#certificate-chains).Integer
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/docs/cloud-edge/endpoints#private-keys).A
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/docs/cloud-edge/modules/webhook-verification
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/docs/cloud-edge/modules/webhook-verification)the
Source: ngrok.exe, 00000002.00000002.1687544880.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ngrok.com/docs/errors/err_ngrok_8012
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/docs/errorsfailed
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/tos
Source: ngrok.exe	String found in binary or memory: https://ngrok.com/tosAuto
Source: ngrok.exe	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: ngrok.exe	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-K3RD62G
Source: ngrok.exe, 00000000.00000002.2924581364.000000C0005D4000.00000004.00001000.00020000.00000000.sdmp, ngrok.exe, 00000002.00000002.1694726269.000000C00050E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ngrok.com
Source: ngrok.exe	String found in binary or memory: https://www.notion.so/ngrok/FAQ-Builds-Bazel-a40e408a0e0f4c9b9613942221e30a32

Source: ngrok.exe

Binary string: bindm in unexpected GOOSruntime: mp.lockedInt = runqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard TimeMontevideo Standard TimeMagallanes Standard TimePacific SA Standard TimeAzerbaijan Standard TimeBangladesh Standard TimeNorth Asia Standard TimeCape Verde Standard Timeexpected float; found %sGot update major commandunknown region '%s' - %sCheck for update failed:timed out while updating/inspect/http/.+/requestapplication/octet-stream2006-01-02T15:04:05-0700log15: unknown level: %vMon Jan _2 15:04:05 2006text/html; charset=utf-8unexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sstream %d already openedConnContext returned nilRequest Entity Too Largehttp: nil Request.Headerhttps-edge-route-backendmodule.authorized-groupsresponse-headers.enabledoauth.inactivity-timeoutsaml.options-passthroughsaml.allow-idp-initiatedoidc.options-passthroughDelete an IP restrictionDelete a TLS certificatetls-edge-tls-terminationexec: Stdout already setexec: Stderr already setBuffer called after Scanerror decrypting messagecertificate unobtainableTLS_RSA_WITH_RC4_128_SHAtls: server rejected ECHjson: unsupported type: buffer closed previouslyTunnelV2IPRestrictedCodeAuthInvalidUserAgentCodeAPIInvalidCredentialCodeAPIInvalidTLSVersionCodeAPIInvalidIPPolicyIDCodeAPIInvalidEventFieldCodeBindUnsupportedProtoCodeBindIPPolicyNotExistCodeBindDomainUnderscoreCodeCredsDescrCharsLimitCodeSSHTunnelBadProtocolCodeSSHTunnelPortInvalidCodeIPPolicyRuleNotFoundCodeIPPolicyMissingParamCodeMwPolicyInvalidParseCodeMwRuntimeExplicitBanCodeAccountNotAuthorizedCodeMapNonexistentServerCodeHTMLDisallowedRegionCodeBannedAddrIDNotFoundCodeBackendWeightedLimitCodeBackendFailoverLimitCodeEdgeDeleteStillInUseCodeEdgeHeaderKeyInvalidCodeEdgeHeaderValInvalidCodeEdgeValidationErrorsCodeEdgeHostportNotFoundCodeEdgeInvalidPortRangeCodeEdgeRouteNoMatchExprCodeEdgeInvalidMatchTypeCodeEdgeOIDCScopeTooLongCodeDashClientInvalidARNCodeCorpClientInvalidARNCodeMFADeviceTypeInvalidCode [%d/%d from method '%s'failed to write response/abuse_reports/{{ .ID }}/certificate_authoritiesWaitToKillServiceTimeoutAllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWSetConsoleCursorPositionSetDefaultDllDirectoriesNtQuerySystemInformationSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceGetWindowThreadProcessIdduplicate %TAG directiveread handler must be setexceeded max depth of %dwhile scanning an anchorx509: malformed validityaddress string too shortsuccessful verify of CRL

Source: classification engine

Classification label: mal52.winEXE@6/2@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: ngrok.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ngrok.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ngrok.exe

ReversingLabs: Detection: 23%

Source: ngrok.exe	String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine terminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dll%!Weekday(short read --%sint32Sliceint64Slice<no value>value for arg %d: %wChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtraForwardingconnectingerror.htmldisconnecttunnelNameUser-Agent/static/.+vendor.css.localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = ConnectionKeep-Alivelocal-addrimage/webpimage/jpegaudio/aiffaudio/mpegaudio/midiaudio/wavevideo/webmfont/woff2RST_STREAMEND_STREAMSet-Cookiebytes */%d stream=%dset-cookieuser-agentkeep-alive:authorityconnectionequivalentHost: %s
Source: ngrok.exe	String found in binary or memory: assets/tls/Interactivesechost.dllversion.dllGetFileTimeSetCommMaskVirtualFreeNetUserEnumCoGetObjectEnumWindowsMessageBoxWToUnicodeExmapping endyYnNtTfFoO~!!timestamphost-headercompressionoauth-scopepolicy-fileremote-addrinvalid oidnext_updategocachehashgocachetestarchive/tarcrypto/x509archive/zipparse errorexpected :=empty fieldInstCaptureInstRuneAny[:^xdigit:]<invalid opSystemDriveProgramDatamin_versiongot requestcannot copyCERTIFICATEcontextmenucrossoriginformenctypeplaceholder_eval_args_\x3C/scriptdevelopmentMARTINI_ENVgrpc-statuspassthroughgrpc.Server"CANCELLED""NOT_FOUND""DATA_LOSS"UnavailableUNAVAILABLEpb.db_codec> in space ReportFaultuser_facingerror.stackhttp.methodhttp.flavorClassHESIODauthoritiesadditionalsIn-Reply-ToReturn-Pathhttps_proxyBernoullis;CirclePlus;EqualTilde;Fouriertrf;ImaginaryI;Laplacetrf;LeftVector;Lleftarrow;NotElement;NotGreater;Proportion;RightArrow;RightFloor;Rightarrow;TildeEqual;TildeTilde;UnderBrace;UpArrowBar;UpTeeArrow;circledast;complement;curlywedge;eqslantgtr;gtreqqless;lessapprox;lesseqqgtr;lmoustache;longmapsto;mapstodown;mapstoleft;nLeftarrow;nleftarrow;precapprox;rightarrow;rmoustache;sqsubseteq;sqsupseteq;subsetneqq;succapprox;supsetneqq;upuparrows;varepsilon;varnothing;ThickSpace;nsubseteqq;nsupseteqq;nanosecondsalloc_space# Sys = %d
Source: ngrok.exe	String found in binary or memory: ; EXPIRE: ;; opcode: AUTHORITY: Fixed32KindFixed64KindMessageKindnested_typeoneof_indexallow_aliasoutput_typejson_formatdeclarationStatusCode(NOT_SERVINGChannel #%d{Addr: %q, Closing: %vGrpc-Statusround_robinnot allowedlast minuteDECLARATION"-Infinity"timestamptzsslrootcert READ WRITEpostgres://15:04:05-07.postgresqltransactioninvalid: %vmutex.pprofblock.pprofMachineGuidProductNamehttp.schemehttp.targetnet.host.ipnet.peer.ipavx512vnniwavx512vbmi2_INT2VECTORTIMESTAMPTZPG_DATABASEREGOPERATORANYNONARRAYFDW_HANDLERTSM_HANDLERCGO_ENABLED0x[0-9a-f]+do_memaligntc_memaligntc_newarrayruntime\.._M_allocatepprof::baseapp-startedapp-closingBackupWriteFieldRangesFileImportsCardinalityHasJSONNameHasPresenceIsExtensionfallthroughapi.pricingautoscalingcloudsearchcognito-idpdevops-guruelasticacheiotsitewiseiotwirelessivsrealtimeopsworks-cmpersonalizerekognitionruntime.lexs3-outpostssecurityhubvoice-chimevpc-latticeUS ISO EastUS ISO WEST^([^:]+)://<sensitive>Content-Md5,omitempty,<panic: %s>exit status can't happenthis commandversion for Subcommand 'write-reportgoogle_httpsResolver: %sHostname: %sConnectivity%s [command]usageExamplecommand_lineSet '%s: %s'socks5_proxysocks5-proxyterminate-athttp://%s:80api_base_url152587890625762939453125short buffer has no name has no typereflect.Copyinvalid pathOpenServiceWRevertToSelfCreateEventWGetConsoleCPUnlockFileExVirtualQueryadvapi32.dlliphlpapi.dllkernel32.dllnetapi32.dllsweepWaiterstraceStringsspanSetSpinemspanSpecialtraceTypeTabgcBitsArenasmheapSpecialgcpacertraceharddecommitmadvdontneeddumping heapchan receivelfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at ( s.elemsize= B (
Source: ngrok.exe	String found in binary or memory: [0m=%s.in-addr.arpa.unknown mode: Content-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMbytes %d-%d/%dERR_UNKNOWN_%daccept-charsetcontent-lengthfirst_settingsping_on_streamtrailers_bogusread_frame_eof{$} not at endempty wildcardinvalid methodparsing %q: %wunknown error unknown code: Not Acceptablemodule.enabledoidc.client-idtraffic-policyreserved-addrscertificate-idelliptic-curvestatic-address
Source: ngrok.exe	String found in binary or memory: Operation ID: %sNgrok-Operation-Id/backends/failover/backends/weighted/tunnels/{{ .ID }}assets/BUILD.bazelassets/credits.txtassets/static/css/CM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSubAuthorityMakeSelfRelativeSDCertGetNameStringWCryptUnprotectDataPFXImportCertStoreGetBestInterfaceExClosePseudoConsoleEscapeCommFunctionGetCommModemStatusGetConsoleOutputCPGetCurrentThreadIdGetModuleHandleExWGetVolumePathNameWRemoveDllDirectorySetConsoleOutputCPTerminateJobObjectWriteProcessMemoryEnumProcessModulesGetModuleBaseNameWtag:yaml.org,2002:oauth-allow-domainoidc app client idoidc-client-secretrequest-header-addx509negativeserialunable to parse IPnetip.ParsePrefix(error fetching CRLcannot be negativeflag %q contains =flag redefined: %s[^\x00-\x{10FFFF}]less than a minuteleft join finishedapp://%s/%s?pid=%dtext/javascript1.0text/javascript1.1text/javascript1.2text/javascript1.3text/javascript1.4text/javascript1.5half join completeSubchannel createdSubchannel deletedunknown service %vServer.Stop called"INVALID_ARGUMENT"FailedPreconditionRESOURCE_EXHAUSTEDpb.gen_with_suffixexpected element <invalid XML name: Proxy-AuthenticateRCodeServerFailuredecoding error: %vDoubleUpDownArrow;DoubleVerticalBar;DownLeftTeeVector;DownLeftVectorBar;FilledSmallSquare;GreaterSlantEqual;LeftDoubleBracket;LeftDownTeeVector;LeftDownVectorBar;LeftTriangleEqual;NegativeThinSpace;NotReverseElement;NotTildeFullEqual;RightAngleBracket;RightUpDownVector;SquareSubsetEqual;VerticalSeparator;blacktriangledown;blacktriangleleft;leftrightharpoons;rightleftharpoons;twoheadrightarrow;NotGreaterGreater;NotLessSlantEqual;NotNestedLessLess;NotSquareSuperset;# TotalAlloc = %d
Source: ngrok.exe	String found in binary or memory: /api_keys/{{ .ID }}/event_destinationsFailed to %s %v: %vQueryServiceConfigWCreatePseudoConsoleDisconnectNamedPipeGetDiskFreeSpaceExWGetLargePageMinimumGetOverlappedResultGetSystemDirectoryWResizePseudoConsoleRtlAddFunctionTableGetForegroundWindowLoadKeyboardLayoutWGetFileVersionInfoWWSALookupServiceEndwhile parsing a tagoauth-client-secretresponse-header-addtraffic-policy-fileinvalid URL escape missing ']' in hostx509: malformed OIDx509: trailing datax509: unknown error too large for IPv4 too large for IPv6file already existsfile does not existfile already closedmultipartmaxheadersunclosed left parenunknown branch typetemplate: %s:%d: %sunexpected %s in %sRUNEWIDTH_EASTASIANWriteConsoleOutputWXDG_PUBLICSHARE_DIRright join finishedcannot reset bufferNo update availableBad hex digit in %qno such template %qapplication/ld+jsongoogle.protobuf.AnyBasic realm="ngrok"Prerelease is emptyrequest body closedRegisterService(%q)"DEADLINE_EXCEEDED""PERMISSION_DENIED"FAILED_PRECONDITIONpb/extensions.protopb.cli_pretty_printzero length segmentRCodeNotImplementedmime: no media typebinary.LittleEndianevictCount overflowDownRightTeeVector;DownRightVectorBar;LongLeftRightArrow;Longleftrightarrow;NegativeThickSpace;PrecedesSlantEqual;ReverseEquilibrium;RightDoubleBracket;RightDownTeeVector;RightDownVectorBar;RightTriangleEqual;SquareIntersection;SucceedsSlantEqual;blacktriangleright;longleftrightarrow;NotLeftTriangleBar;parsing profile: %w#%#x%s+%#x%s:%d
Source: ngrok.exe	String found in binary or memory: unknown address type command not supportedPrecondition RequiredInternal Server ErrorCreate a new bot userdelete <edge-id> <id>module.rolling-windowhttps-edge-route-oidchttps-edge-route-samlsaml.maximum-durationoidc.maximum-durationsaml.idp-metadata-urlupdate <edge-id> <id>target.datadog.ddtagstarget.datadog.ddsitestatus code to returnhttps-edge-mutual-tlsssh-host-certificatesssh-user-certificatesexec: already startedbufio: negative countdecompression failureunsupported extensionX25519Kyber768Draft00after top-level valuein string escape codeflow control violatedAuthImproperTokenCodeAPIInvalidVersionCodeAPIMissingVersionCodeBindAnonSubdomainCodeBindWildcardMatchCodeBindHostportInUseCodeBindDomainTooLongCodeReservedAddrLimitCodeMuxBadHTTPRequestCodeMuxRequestTimeoutCodeBillingEmailLimitCodeDashNoGoogleLoginCodeDashSignupBlockedCodeCertsDNS01NSCountCodeAccountsNameEmptyCodeUsersEmailInvalidCodeAbuseTCPIPUnknownCodeEvsubInvalidFieldCodeBackendNotAllowedCodeEdgeLimitExceededCodeEdgeAuthExclusionCodeAgentIPV6DisabledCodeMFADeviceNotFoundCodefailed to deserializeInvalid log level: %wassets/BUILD.bazel.inCM_Get_DevNode_StatusChangeServiceConfig2WDeregisterEventSourceEnumServicesStatusExWGetNamedSecurityInfoWSetNamedSecurityInfoWDwmGetWindowAttributeDwmSetWindowAttributeGetVolumeInformationWNtCreateNamedPipeFileSetupDiEnumDeviceInfoSetupUninstallOEMInfWWSALookupServiceNextWWTSEnumerateSessionsWinvalid emitter stateexpected STREAM-STARTexpected DOCUMENT-ENDcannot marshal type: write handler not setverify-webhook-secretrequest-header-removeinvalid NumericStringx509: invalid versionIPv4 address too longunexpected slice sizeerror parsing CRL URLfailed to verify CRL:CRL out of date at %sflag %q begins with -record on line %d: %vbad number syntax: %qundefined variable %qinvalid named captureGetCurrentConsoleFontno more state changesinvalid tunnel configat range loop break: message_set_extensionlistening on %s (%s)
Source: ngrok.exe	String found in binary or memory: Run '%v --help' for usage.
Source: ngrok.exe	String found in binary or memory: Run '%v --help' for usage.
Source: ngrok.exe	String found in binary or memory: Invalid URL for json_resolver_url142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length sync: RUnlock of unlocked RWMutexskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangetoo many levels of symbolic linksInitializeProcThreadAttributeListwaiting for unsupported file typebytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whenceflag accessed but not defined: %sunknown shorthand flag: %q in -%sflag needs an argument: %q in -%s%s must be formatted as key=valueincompatible types for comparisoncannot index slice/array with nilFailed to initialize terminal: %wForwarding was restarted due to: disabled updater should never runchecking for updates periodicallyUpdate to version %s successful!
Source: ngrok.exe	String found in binary or memory: Invalid URL for json_resolver_url142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length sync: RUnlock of unlocked RWMutexskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangetoo many levels of symbolic linksInitializeProcThreadAttributeListwaiting for unsupported file typebytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whenceflag accessed but not defined: %sunknown shorthand flag: %q in -%sflag needs an argument: %q in -%s%s must be formatted as key=valueincompatible types for comparisoncannot index slice/array with nilFailed to initialize terminal: %wForwarding was restarted due to: disabled updater should never runchecking for updates periodicallyUpdate to version %s successful!
Source: ngrok.exe	String found in binary or memory: save authtoken to configuration fileWrapper limit cannot be less than 1.Error creating directory for report:TCP tunnel %s cannot inspect trafficuser supplied name for this endpointTLS tunnel %s cannot inspect traffichttp://crl.ngrok-agent.com/ngrok.crlInvalid IP in dns_resolver_ips: '%s'URL scheme must be 'http' or 'https'444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignreflect.Value.Equal: values of type lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: ngrok.exe	String found in binary or memory: save authtoken to configuration fileWrapper limit cannot be less than 1.Error creating directory for report:TCP tunnel %s cannot inspect trafficuser supplied name for this endpointTLS tunnel %s cannot inspect traffichttp://crl.ngrok-agent.com/ngrok.crlInvalid IP in dns_resolver_ips: '%s'URL scheme must be 'http' or 'https'444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignreflect.Value.Equal: values of type lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: ngrok.exe	String found in binary or memory: runtime: bad notifyList size - sync=accessed data from freed user arena runtime: wrong goroutine in newstackruntime: invalid pc-encoded table f=accessing a corrupted shared libraryTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflowbytes: Repeat output length overflowbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionexceeded maximum template depth (%v)%s is not a method but has argumentsinternal error: associate not commonconnect.us-cal-1.ngrok-agent.com:443connect.eu-lon-1.ngrok-agent.com:443x-ngrok-rehydrate-enriched-error-argcan't apply '%T' to %s configurationauto update is enabled, apply updatehttp: no Location header in responsehttp: unexpected EOF reading trailerhttp: invalid byte %q in Cookie.Path LastStreamID=%v ErrCode=%v Debug=%qhttp2: server rejecting conn: %v, %sHeader called after Handler finishedRoundTrip retrying after failure: %vJanFebMarAprMayJunJulAugSepOctNovDecno acceptable authentication methodsGet the details of an API key by ID.Delete an application session by ID.Get the details of a Bot User by ID.raw PEM of the Certificate Authoritymodule.provider.github.client-secretmodule.provider.github.email-domainsmodule.provider.github.organizationsmodule.provider.google.client-secretmodule.provider.google.email-domainsmodule.provider.gitlab.client-secretmodule.provider.gitlab.email-domainsmodule.provider.twitch.client-secretmodule.provider.twitch.email-domainsmodule.provider.amazon.client-secretmodule.provider.amazon.email-domainsmutual-tls.certificate-authority-idsThe ID portion of an AWS access key.target.cloudwatch-logs.log-group-arnService name to send with the event.Client ID for the application clientList all IP policies on this accountexpected an ECDSA public key, got %TTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAtls: keys must have at least one keyunsupported SSLv2 handshake receivedtls: server did not send a key sharejson: encoding error for type %q: %qAPIInvalidCertificateAuthorityIDCodeAPIInvalidEventDestinationFormatCodeAPIInvalidEventDestinationTargetCodeBindAgentRequestHeaderAddInvalidCodeBindAgentHeaderKeyLengthExceededCodeBindAgentHeaderValLengthExceededCodeBindLabeledTunnelACLNotSupportedCodeReservedDomainNonLeadingWildcardCodeReservedDomainGaugeLimitExceededCodeReservedDomainNameDomainConflictCodeReservedAddressRateLimitExceededCodeMuxHTTPRequestsRateLimitExceededCodeBillingEmailAddressInvalidLengthCodeBillingAddressGaugeLimitExceededCodeEndpointConfigurationTypeInvalidCodeCertsInvalidDomainAlreadyManagedCodeCertsSSHUnsupportedPublicKeyTypeCodeCertsSSHUserCertNegativeDurationCodeCertsSSHHostCertNegativeDurationCodeMwCompileOAuthInvalidEmailDomainCodeMwPolicyInvalidActionConfigValueCodeMwPolicyHeaderValueLengthInvalidCodeMwPolicyCompressInvalidAlgorithmCodeMwPolicyInvalidIPPolicyReferenceCodeMwPolicyFieldNotUserConfigurableCodeMwPolicyInvalidConfigValueNotUrlCodeMwRuntimeOAuthUserActionRequiredCodeEventDestina
Source: ngrok.exe	String found in binary or memory: http: putIdleConn: keep alives disabledusername/password authentication failedcertificate-management-policy.authorityList all API keys owned by this accountmodule.provider.microsoft.client-secretmodule.provider.microsoft.email-domainsoauth.provider.facebook.email-addressesoauth.provider.linkedin.email-addressesUpdate attributes of an IP policy by IDexec: environment variable contains NULtls: unsupported certificate curve (%s)TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256tls: internal error: wrong nonce lengthno mutually supported protocol versionschain is not signed by an acceptable CACredsCredentialMembershipIsInactiveCodeCredsCannotDeleteDefaultTunnelTokenCodeMuxIncomingTrafficRateLimitExceededCodeMuxOutgoingTrafficRateLimitExceededCodeMuxConnectionsPerMonthLimitExceededCodeSSHTunnelHostnameSubdomainExclusiveCodeEndpointConfigurationInvalidRequestCodeEndpointConfigurationOAuthEmptyTeamCodeEndpointConfigurationCADoesNotExistCodeEndpointConfigurationDescCharsLimitCodeEndpointConfigurationMetaCharsLimitCodeEndpointConfigurationMutualTLSNotCACodeCertsCertificateInsteadOfPrivateKeyCodeCertsPrivateKeyInsteadOfCertificateCodeCertsSSHCAEllipticCurveNotSupportedCodeMwCompileTLSInvalidHandshakeTimeoutCodeMwCompileUserSessionInvalidSameSiteCodeMwRuntimeOAuthUserResourceForbiddenCodeMwRuntimeJWTValidationPrefixMissingCodeEmailConfirmationsResendRateLimitedCodeEventDestinationInvalidARNPartitionCodeFederatedIdPOIDCTokenExchangeFailedCodeFederatedIdPOIDCConfigurationAbsentCodeFederatedIdPOAuthInvalidEmailDomainCodeEndpointResolverCloudTunnelConflictCodeBackendHTTPResponseHeaderKeyInvalidCodeMembershipsSetPermissionsDisallowedCodeMembershipsSetActiveDisallowedAdminCodeEdgeInvalidCircuitBreakerNumBucketsCodeEdgeOAuthInvalidPunycodeEmailDomainCodeEdgeSessionInactivityTimeoutTooHighCodeEdgeAccountNotAuthorizedCompressionCodeEdgeJWTValidationHttpTokenDuplicateCodeCloudEndpointSchemeChangeDisallowedCodeCloudEndpointURLResourceNotReservedCodesession closed, starting reconnect loop/reserved_domains/{{ .ID }}/certificateassets/local/tls/trusted.root.local.crtassets/local/tls/trusted.root.stage.crtRtlDosPathNameToNtPathName_U_WithStatuscannot decode node with unknown kind %dunknown problem generating YAML contentcannot marshal invalid UTF-8 data as %scannot encode node with unknown kind %dfound an incorrect trailing UTF-8 octetdid not find expected hexdecimal numberx509: invalid subject alternative namesx509: invalid NameConstraints extensionx509: failed to parse URI constraint %qmath/big: buffer too small to fit valuex509: unknown EC private key version %d because it doesn't contain any IP SANsx509: signing with MD5 is not supportedIPv4 field must have at least one digitextraneous or missing " in quoted-fieldcsv: invalid field or comment delimitermissing argument to repetition operatortrailing backslash at end of expressionproxyproto: can't read version 1 headermartini handler must be a callable f
Source: ngrok.exe	String found in binary or memory: Specified region is not in the known seterrors: target must be a non-nil pointer13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 called with negative precreflect: FieldByName of non-struct type reflect.Value.Call: call of nil functionreflect.Value.Call: wrong argument countattempted to copy pointer to FP registerMapIter.Key called on exhausted iteratorreflect.Value.SetBytes of non-byte slicereflect.Value.setRunes of non-rune sliceinvalid span in heapArena for user arenabulkBarrierPreWrite: unaligned argumentsruntime: typeBitsBulkBarrier with type refill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedstopTheWorld: broken CPU time accountingglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsgoroutine stack size is not a power of 2address family not supported by protocoltime: Stop called on uninitialized Timertimeout while trying to apply the updateTunnel declaration must contain a 'name'Policy is one of: 'always', 'only_minor'http2: timeout awaiting response headersFrame accessor called on non-owned Frameinternal error: expecting non-nil streamrequest header %q is not valid in HTTP/2http2: Transport encoding header %q = %qprotocol error: headers after END_STREAMwriteData(stream=%d, p=%d, endStream=%v)host contains '{' (missing initial '/'?)bad wildcard segment (must end with '}')backend to be used to back this endpointmodule.provider.facebook.email-addressesmodule.provider.linkedin.email-addresseshttps-edge-route-websocket-tcp-converteroauth.provider.microsoft.email-addressesList all active endpoints on the accountThe secret portion of an AWS access key.Client Secret for the application clientList this Account's Event Subscriptions.List all IP policy rules on this accountList all IP restrictions on this accountList all ssh credentials on this accountList all static backends on this accountclient doesn't support certificate curveoversized record received with length %dtls: received empty certificates messagetls: client didn't provide a certificateBindTunnelAnonymousRateLimitExceededCodeReservedDomainChallengeCNAMENotFoundCodeReservedDomainRegionChangeNotAllowedCodeReservedAddrInvalidConfigurationTypeCodeMuxHTTPRequestsPerMonthLimitExceededCodeTunnelV2OperationCommunicationFailedCodeMaintenanceSomeOperationsUnavailableCodeEndpointConfigurationOAuthEmptyGroupCodeIPRestrictionAccountNotAuthorizedAPICodeMwCompileBasicAuthRealmLengthInvalidCodeMwCompileHTTPHeaderNameLengthInvalidCodeMwCompileUserAgentFilterInvalidRegexCodeMwPolicyActionFailedConfigResolutionCodeMwRuntimeOAuthUserMissingPermissionsCodeMwRuntimeOAuthProviderAPIUnavailableCodeMwRuntimeFederatedAuthCookieNotFoundCode
Source: ngrok.exe	String found in binary or memory: Use: stop <id>tls: internal error: sending non-handshake message to QUIC transportEndpointConfigurationCircuitBreakerThresholdPercentageOutOfRangeCodeexpected SCALAR, SEQUENCE-START, MAPPING-START, or ALIAS, but got %vembedded IPv4 address must replace the final 2 fields of the addressinvalid retry throttling config: tokenRatio (%v) may not be negative2695994666715063979466701508701963067355791626002630814351006629888126959946667150639794667015087019625940457807714424391721682722368061crypto/hmac: hash generation function does not produce unique valuesinvalid proto.Message(%T) type, expected a protoreflect.Message typebig: invalid 2nd argument to Int.Jacobi: need odd integer but got %sexpected a JSON struct with one entry; received entry %v at index %dChannelz: socket options are not supported on non-linux environmentscannot assign %v, needed to assign %d elements, but only assigned %dpq: Could not detect default username. Please provide one explicitlyinvalid descriptor: using edition features in a proto with syntax %sextension %v does not implement protoreflect.ExtensionTypeDescriptorYou must specify -config with the path to an ngrok configuration fileYou may not specify both 'region' and 'server_addr' at the same time.Connect timeout must be a positive time duration, e.g. '10s', '500ms'reflect: embedded interface with unexported method(s) not implementedruntime.Pinner: found leaking pinned pointer; forgot to call Unpin()?http2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)%s matches more methods than %s, but has a more specific path pattern%s matches fewer methods than %s, but has a more general path patternarbitrary user-defined data of this API key. optional, max 4096 bytesAdd an additional type for which this event subscription will triggertls: peer doesn't support the certificate custom signature algorithmstls: handshake message of length %d bytes exceeds maximum of %d bytestls: client certificate contains an unsupported public key of type %Ttoo many hex fields to fit an embedded IPv4 at the end of the addressinternal/concurrent.HashMapTrie: ran out of hash bits while iteratinginternal/concurrent.HashMapTrie: ran out of hash bits while insertingNetPrefix IP had a length of %d where a length of 4 or 16 is requiredparam: error parsing key %q: unknown field %q on struct %q of type %vedwards25519: internal error: setShortBytes called with a long stringheap profile: (\d+): (\d+) \[ (\d+): (\d+) \] @ fragmentationz?You may not specify any endpoint or tunnel names with the --all switchpath to TLS certificate authority to verify client certs in mutual tlsFile tunnel %s encountered an error validating directory path '%s': %vsync/atomic: compare and swap of inconsistently typed value into Valuebytes.Buffer: UnreadByte: previous operation was not a successful readinexhaustive case match in server command handler: unknown command %+vgot %s for stream %d; expected CONTINUATION following %s for stream %dAbuse Reports allow you to s
Source: ngrok.exe	String found in binary or memory: the next backend in the list until one is successful.Updates a TCP Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates a TLS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Updates an HTTPS Edge by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.Defines the name identifier format the SP expects the IdP to use in its assertions to identify subjects. If unspecified, a default value of urn:oasis:names:tc:SAML:2.0:nameid-format:persistent will be used. A subset of the allowed values enumerated by the SAML specification are supported.the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizing the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See the OpenSSH certificate protocol spec (https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys) for additional details.Updates an HTTPS Edge Route by ID. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.API Keys are used to authenticate to the ngrok
Source: ngrok.exe	String found in binary or memory: -h, --help help for ngrok
Source: ngrok.exe	String found in binary or memory: -h, --help help for ngrok
Source: ngrok.exe	String found in binary or memory: Use "ngrok [command] --help" for more information about a command.
Source: ngrok.exe	String found in binary or memory: Use "ngrok [command] --help" for more information about a command.
Source: ngrok.exe	String found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: ngrok.exe	String found in binary or memory: Use "{{.CommandPath}} [command] --help" for more information about a command.{{end}}
Source: ngrok.exe	String found in binary or memory: set -l directive (string sub --start 2 $__%[1]s_perform_completion_once_result[-1])
Source: ngrok.exe	String found in binary or memory: align-items: flex-start;
Source: ngrok.exe	String found in binary or memory: .glyphicon-stop:before {
Source: ngrok.exe	String found in binary or memory: .has-success .input-group-addon {
Source: ngrok.exe	String found in binary or memory: .has-warning .input-group-addon {
Source: ngrok.exe	String found in binary or memory: .has-error .input-group-addon {
Source: ngrok.exe	String found in binary or memory: .form-inline .input-group .input-group-addon,
Source: ngrok.exe	String found in binary or memory: .input-group-lg > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: select.input-group-lg > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: textarea.input-group-lg > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: select[multiple].input-group-lg > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: .input-group-sm > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: select.input-group-sm > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: textarea.input-group-sm > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: select[multiple].input-group-sm > .input-group-addon,
Source: ngrok.exe	String found in binary or memory: .input-group-addon,
Source: ngrok.exe	String found in binary or memory: .input-group-addon:not(:first-child):not(:last-child),
Source: ngrok.exe	String found in binary or memory: .input-group-addon {
Source: ngrok.exe	String found in binary or memory: .input-group-addon.input-sm {
Source: ngrok.exe	String found in binary or memory: .input-group-addon.input-lg {
Source: ngrok.exe	String found in binary or memory: .input-group-addon input[type="radio"],
Source: ngrok.exe	String found in binary or memory: .input-group-addon input[type="checkbox"] {
Source: ngrok.exe	String found in binary or memory: .input-group-addon:first-child,
Source: ngrok.exe	String found in binary or memory: .input-group-addon:first-child {
Source: ngrok.exe	String found in binary or memory: .input-group-addon:last-child,
Source: ngrok.exe	String found in binary or memory: .input-group-addon:last-child {
Source: ngrok.exe	String found in binary or memory: .navbar-form .input-group .input-group-addon,
Source: ngrok.exe	String found in binary or memory: .hljs-addition,
Source: ngrok.exe	String found in binary or memory: net/addrselect.go
Source: ngrok.exe	String found in binary or memory: github.com/pires/go-proxyproto@v0.7.0/addr_proto.go
Source: ngrok.exe	String found in binary or memory: google.golang.org/grpc@v1.65.0/internal/balancerload/load.go
Source: ngrok.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load.go
Source: ngrok.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v3.go
Source: ngrok.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_common.go
Source: ngrok.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v1.go
Source: ngrok.exe	String found in binary or memory: go.ngrok.com/cmd/ngrok/config/load_v2.go
Source: ngrok.exe	String found in binary or memory: go.ngrok.com/lib/web/manifest/loader.go
Source: ngrok.exe	String found in binary or memory: github.com/kentik/patricia@v1.2.1/address_v4.go
Source: ngrok.exe	String found in binary or memory: github.com/kentik/patricia@v1.2.1/address_v6.go
Source: ngrok.exe	String found in binary or memory: golang.org/x/sys@v0.26.0/windows/svc/eventlog/install.go

Source: C:\Users\user\Desktop\ngrok.exe

File read: C:\Users\user\Desktop\ngrok.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ngrok.exe "C:\Users\user\Desktop\ngrok.exe"
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Users\user\Desktop\ngrok.exe C:\Users\user\Desktop\ngrok.exe
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Users\user\Desktop\ngrok.exe C:\Users\user\Desktop\ngrok.exe	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K	Jump to behavior

Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Section loaded: samlib.dll	Jump to behavior

Source: ngrok.exe

Static PE information: certificate valid

Source: ngrok.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ngrok.exe

Static file information: File size 27581664 > 1048576

Source: ngrok.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xaa0c00
Source: ngrok.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xe3f800

Source: ngrok.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ngrok.exe	Static PE information: section name: .xdata
Source: ngrok.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\ngrok.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ngrok.exe	Binary or memory string: X4xSOkS7vrOepX4JFNhqVdxut7pqEmuj1Xf7KhHtFquFM5fhLJHnWEJGWOTRbRVp
Source: ngrok.exe, 00000002.00000002.1695921317.000002545781D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllddS
Source: ngrok.exe, 00000000.00000002.2926123585.000002A69C57C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllffSdP

Source: C:\Users\user\Desktop\ngrok.exe

Process information queried: ProcessInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Users\user\Desktop\ngrok.exe C:\Users\user\Desktop\ngrok.exe			Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /K			Jump to behavior

Source: C:\Users\user\Desktop\ngrok.exe	Queries volume information: C:\Users\user\Desktop\ngrok.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\ngrok.exe	Queries volume information: C:\Users\user\Desktop\ngrok.exe VolumeInformation			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ngrok.exe	24%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://getbootstrap.com/)	0%	URL Reputation	safe
http://www.opensource.org/licenses/mit-license.php	0%	URL Reputation	safe
http://fsf.org/	0%	URL Reputation	safe
http://jedwatson.github.io/classnames	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ngrok.com/tosAuto	ngrok.exe	false		unknown
http://www.apache.org/licenses/LICENSE-2.0	ngrok.exe	false		unknown
https://ngrok.com/docs/cloud-edge/modules/webhook-verification)the	ngrok.exe	false		unknown
https://www.ngrok.com	ngrok.exe, 00000000.00000002.2924581364.000000C0005D4000.00000004.00001000.00020000.00000000.sdmp, ngrok.exe, 00000002.00000002.1694726269.000000C00050E000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/	ngrok.exe	false		unknown
https://ngrok.com/docs/cloud-edge/endpoints#certificate-chains).Integer	ngrok.exe	false		unknown
http://www.eslinstructor.net/vkbeautify/	ngrok.exe	false		unknown
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)	ngrok.exe	false		unknown
https://dashboard.ngrok.com/api/keys)	ngrok.exe	false		unknown
https://github.com/golang/protobuf/issues/1609):	ngrok.exe	false		unknown
https://ngrok.com/tos	ngrok.exe	false		unknown
https://getbootstrap.com/)	ngrok.exe	false	URL Reputation: safe	unknown
https://github.com/spf13/cobra/issues/1508	ngrok.exe	false		unknown
https://ngrok.com/docs/errors/err_ngrok_8012	ngrok.exe, 00000002.00000002.1687544880.000000C0001A6000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://ngrok.com/docs/cloud-edge/modules/webhook-verification	ngrok.exe	false		unknown
https://www.notion.so/ngrok/FAQ-Builds-Bazel-a40e408a0e0f4c9b9613942221e30a32	ngrok.exe	false		unknown
http://creativecommons.org/publicdomain/zero/1.0	ngrok.exe	false		unknown
https://ngrok.com/docs/cloud-edge/endpoints#private-keys).A	ngrok.exe	false		unknown
http://www.opensource.org/licenses/mit-license.php	ngrok.exe	false	URL Reputation: safe	unknown
https://ngrok.com/docs/errorsfailed	ngrok.exe	false		unknown
https://ngrok.com/docs/api#authentication).	ngrok.exe	false		unknown
https://instrumentation-telemetry-intake.datadoghq.com/api/v2/apmtelemetryAddAttrs	ngrok.exe	false		unknown
http://crl.ngrok.com/ngrok.crl227373675443232059478759765625reflect:	ngrok.exe	false		unknown
https://dashboard.ngrok.com/api.	ngrok.exe	false		unknown
https://github.com/twbs/bootstrap/blob/master/LICENSE)	ngrok.exe	false		unknown
http://www.gnu.org/licenses/gpl.html	ngrok.exe	false		unknown
https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css	ngrok.exe	false		unknown
http://crl.ngrok-agent.com/ngrok.crlInvalid	ngrok.exe	false		unknown
http://fsf.org/	ngrok.exe	false	URL Reputation: safe	unknown
https://dashboard.ngrok.com/obs/traffic-inspector	ngrok.exe	false		unknown
https://ngrok....Certificate	ngrok.exe	false		unknown
http://mattn.mit-license.org/2013	ngrok.exe	false		unknown
https://api.ngrok.comagent	ngrok.exe	false		unknown
http://jedwatson.github.io/classnames	ngrok.exe	false	URL Reputation: safe	unknown
https://github.com/spf13/cobra/issues/1279	ngrok.exe	false		unknown
https://dashboard.ngrok.com/billing/subscription	ngrok.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546090
Start date and time:	2024-10-31 13:51:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ngrok.exe
Detection:	MAL
Classification:	mal52.winEXE@6/2@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: ngrok.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Download File

Process:	C:\Users\user\Desktop\ngrok.exe
File Type:	GLS_BINARY_LSB_FIRST
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.438743916256937
Encrypted:	false
SSDEEP:	3:rmHfvtH//STGlA1yqGlYUGk+ldyHGlgZty:rmHcKtGFlqty
MD5:	E467C82627F5E1524FDB4415AF19FC73
SHA1:	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E
SHA-256:	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540
SHA-512:	2A969893CC713D6388FDC768C009055BE1B35301A811A7E313D1AEEC1F75C88CCDDCD8308017A852093B1310811E90B9DA76B6330AACCF5982437D84F553183A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................xW4.4.....#Eg.......]..........+.H`........xW4.4.....#Eg......3.qq..7I......6........xW4.4.....#Eg......,..l..@E............

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.041497736446781
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ngrok.exe
File size:	27'581'664 bytes
MD5:	2c106f3e8251521af24411b49012ec34
SHA1:	40e50a9a123d61c1e78e476cb82eca3c55d39e58
SHA256:	415895b622a53a04e39711a0a3d7bc3066598c736565257c192ade6233dd1f6d
SHA512:	7f4c4b2922e3b4e197db8b914a18f5ea0f584776ed2ad9f7ba2794c150d71257a7c84ff71225a01399ba7837b21cddb55ff3bc452a3d233cd273f2fcef6fffe5
SSDEEP:	196608:cuc63EPtXiuo6T2pfSuWgMoRswObe3nz5xjt:cL63ItO6TduWgMoRswObeXz57
TLSH:	54575B07E86544A4C4EDC574C5268627BFB27C494B3427D73BA0FBA82F76BD0AA79310
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...........................@......................................c....`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x47fac0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	b196866f0bf37f1f128fa153413b744f

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	30/05/2024 01:00:00 28/08/2027 00:59:59
Subject Chain	E=support@ngrok.com, CN="Ngrok, Inc.", O="Ngrok, Inc.", L=San Diego, S=California, C=US
Version:	3
Thumbprint MD5:	CC5EDA008651FDA11F28615C7195CB79
Thumbprint SHA-1:	7A54EB0D199484EB8CAEA931C90A744BCF02A7E0
Thumbprint SHA-256:	DCD0CADC31F1510A6B56E2A76FD37B6D66E7A2B1B6016FA37FACE467F08F76B4
Serial:	083A42D331C15FD98D28315D15D9E3F7

Entrypoint Preview

Instruction
jmp 00007F7868F9C930h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [0199F88Ah]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F7868FA0235h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F7868FA54CBh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a71000	0x57a	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1aad000	0x228	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1a2e000	0x41f34	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1a4bc00	0x20e0	.pdata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1a72000	0x39ff4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18e4060	0x188	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xaa0b60	0xaa0c00	344a60ef7a69672036c936b00c9eb106	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xaa2000	0xe3f608	0xe3f800	f6df07fb207336b32835b941068f1f07	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x18e2000	0x14be50	0xee400	9e00604fbf61f212e69dd4342e56af13	False	0.24710002951206717	data	4.124743465370536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1a2e000	0x41f34	0x42000	8ae27f12bcc27b263fb6033488b66687	False	0.3961551550662879	data	5.666754799923342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x1a70000	0xb4	0x200	6977ec7ca37f8fcac4d31ba836d75126	False	0.224609375	data	1.783206012798912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x1a71000	0x57a	0x600	c09c924d4c817757969bea229ed94c1b	False	0.38671875	data	4.306029758715446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1a72000	0x39ff4	0x3a000	ca2694d21a3f7dae91be555a4a1b197e	False	0.16897898706896552	data	5.448149358332403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x1aac000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x1aad000	0x228	0x400	c76fd61009666f7d1246d54bfa02c0c2	False	0.2802734375	data	1.877489289824538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1aad058	0x1cc	data	English	United States	0.5413043478260869

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetThreadPriority, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateWaitableTimerA, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	08:52:00
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\ngrok.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ngrok.exe"
Imagebase:	0x9e0000
File size:	27'581'664 bytes
MD5 hash:	2C106F3E8251521AF24411B49012EC34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	08:52:00
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	08:52:00
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\ngrok.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\ngrok.exe
Imagebase:	0x9e0000
File size:	27'581'664 bytes
MD5 hash:	2C106F3E8251521AF24411B49012EC34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:52:02
Start date:	31/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /K
Imagebase:	0x7ff6a54e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ngrok.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\Mup\user-PC\PIPE\samr

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: ngrok.exePID: 7128, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 7148, Parent PID: 7128

Windows Analysis Report
ngrok.exe