Edit tour

Windows Analysis Report
https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll

Overview

General Information

Sample URL:	https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll
Analysis ID:	1645237
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected suspicious crossdomain redirect

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

PE file contains sections with non-standard names

Yara signature match

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6220 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6824 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,11290067482746258853,114400927890450164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2072 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7388 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,11290067482746258853,114400927890450164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5096 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7584 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_91	Reflective_DLL_Loader_Aug17_1	Detects Reflective DLL Loader	Florian Roth	0x1ced8:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
dropped/chromecache_91	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1ced9:$s2: ReflectiveLoader@
C:\Users\user\Downloads\Unconfirmed 826706.crdownload	Reflective_DLL_Loader_Aug17_1	Detects Reflective DLL Loader	Florian Roth	0x1ced8:$s4: ?ReflectiveLoader@@YA_KPEAX@Z
C:\Users\user\Downloads\Unconfirmed 826706.crdownload	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x1ced9:$s2: ReflectiveLoader@

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 142.251.40.196:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.3:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.3:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49730 version: TLS 1.2

Source:

Binary string: Z:\metasploit-framework\data\exploits\CVE-2024-30085\cve-202430085-dll.pdb source: Unconfirmed 826706.crdownload.5.dr, chromecache_91.6.dr

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

HTTP traffic: Redirect from: github.com to https://raw.githubusercontent.com/rapid7/metasploit-framework/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/cve-2024-30085/cve-202430085-dll.dll

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown	TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown	TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown	TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown	TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown	TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown	TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown	TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.16
Source: unknown	TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll HTTP/1.1Host: github.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /rapid7/metasploit-framework/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll HTTP/1.1Host: raw.githubusercontent.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

Source: unknown	HTTPS traffic detected: 142.251.40.196:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.3:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.3:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49730 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: dropped/chromecache_91, type: DROPPED	Matched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: dropped/chromecache_91, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: C:\Users\user\Downloads\Unconfirmed 826706.crdownload, type: DROPPED	Matched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: C:\Users\user\Downloads\Unconfirmed 826706.crdownload, type: DROPPED	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir6220_865719205

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir6220_865719205

Jump to behavior

Source: dropped/chromecache_91, type: DROPPED	Matched rule: Reflective_DLL_Loader_Aug17_1 date = 2017-08-20, hash1 = f2f85855914345eec629e6fc5333cf325a620531d1441313292924a88564e320, author = Florian Roth, description = Detects Reflective DLL Loader, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: dropped/chromecache_91, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: C:\Users\user\Downloads\Unconfirmed 826706.crdownload, type: DROPPED	Matched rule: Reflective_DLL_Loader_Aug17_1 date = 2017-08-20, hash1 = f2f85855914345eec629e6fc5333cf325a620531d1441313292924a88564e320, author = Florian Roth, description = Detects Reflective DLL Loader, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Downloads\Unconfirmed 826706.crdownload, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts

Source: classification engine

Classification label: mal48.win@23/3@6/4

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\2a0a0cdd-2a68-4196-9f08-a5e2fab47ad9.tmp

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,11290067482746258853,114400927890450164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2072 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,11290067482746258853,114400927890450164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5096 /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,11290067482746258853,114400927890450164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2072 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,11290067482746258853,114400927890450164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5096 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:

Binary string: Z:\metasploit-framework\data\exploits\CVE-2024-30085\cve-202430085-dll.pdb source: Unconfirmed 826706.crdownload.5.dr, chromecache_91.6.dr

Source: Unconfirmed 826706.crdownload.5.dr	Static PE information: section name: _RDATA
Source: chromecache_91.6.dr	Static PE information: section name: _RDATA

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 826706.crdownload			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 91			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 91
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: Chrome Cache Entry: 91			Jump to dropped file

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	21 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
github.com	140.82.113.3	true	false	high
raw.githubusercontent.com	185.199.108.133	true	false	high
www.google.com	142.251.40.196	true	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
140.82.113.3	github.com	United States	36459	GITHUBUS	false
142.251.40.196	www.google.com	United States	15169	GOOGLEUS	false
185.199.108.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1645237
Start date and time:	2025-03-21 15:13:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@23/3@6/4

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.31.69.3, 142.251.40.163, 142.250.65.206, 64.233.180.84, 142.251.41.14, 142.250.80.78, 142.251.40.110, 142.251.40.206, 142.250.65.238, 142.251.32.110, 142.251.40.238, 142.250.81.238, 142.250.65.174, 199.232.214.172, 142.251.35.163, 34.104.35.123, 142.251.41.3, 142.250.176.206, 4.175.87.197, 23.96.180.189, 150.171.28.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, redirector.gvt1.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.108662160899414
Encrypted:	false
SSDEEP:	3072:asaSGlvgfcA6AVLie5pdCpOjvuIUiRp/v645ZI1:pClZA6teEpO6Ifz2
MD5:	2B48801A36FC086A579D2AFE0ADABF6A
SHA1:	7C997C8446E86B5436F463F7F7B7F84D9917EDD5
SHA-256:	DF35C67EFD73061681C920552E40EC9921D9C776A611E8A3915A78CE12F4572D
SHA-512:	E6406EC0EB40C7370E31469B8430AA5FF5BC31CFEF40C6BD037B8D1FF3BA5DAB46574B7BE33EF812D9AEC3FFF7CC07BE46B6E9F5C743A167F9E46E06D500AA21
Malicious:	false
Yara Hits:	Rule: Reflective_DLL_Loader_Aug17_1, Description: Detects Reflective DLL Loader, Source: C:\Users\user\Downloads\Unconfirmed 826706.crdownload, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: C:\Users\user\Downloads\Unconfirmed 826706.crdownload, Author: ditekSHen
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... ... ... ...{..*...{..%...{.......................)...{..'... ...G......"......!.....q.!......!...Rich ...........PE..d......g.........." .................+.......................................`............`.............................................h.......P....@.......................P..h.......p...........................0...0............@...............................text....,.......................... ..`.rdata.......@.......2..............@..@.data...............................@....pdata..............................@..@_RDATA.......0......................@..@.rsrc........@......................@..@.reloc..h....P......................@..B........................................................................................................................................................................................................

Chrome Cache Entry: 91

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	downloaded
Size (bytes):	132096
Entropy (8bit):	6.108662160899414
Encrypted:	false
SSDEEP:	3072:asaSGlvgfcA6AVLie5pdCpOjvuIUiRp/v645ZI1:pClZA6teEpO6Ifz2
MD5:	2B48801A36FC086A579D2AFE0ADABF6A
SHA1:	7C997C8446E86B5436F463F7F7B7F84D9917EDD5
SHA-256:	DF35C67EFD73061681C920552E40EC9921D9C776A611E8A3915A78CE12F4572D
SHA-512:	E6406EC0EB40C7370E31469B8430AA5FF5BC31CFEF40C6BD037B8D1FF3BA5DAB46574B7BE33EF812D9AEC3FFF7CC07BE46B6E9F5C743A167F9E46E06D500AA21
Malicious:	false
Reputation:	low
URL:	https://raw.githubusercontent.com/rapid7/metasploit-framework/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... ... ... ...{..*...{..%...{.......................)...{..'... ...G......"......!.....q.!......!...Rich ...........PE..d......g.........." .................+.......................................`............`.............................................h.......P....@.......................P..h.......p...........................0...0............@...............................text....,.......................... ..`.rdata.......@.......2..............@..@.data...............................@....pdata..............................@..@_RDATA.......0......................@..@.rsrc........@......................@..@.reloc..h....P......................@..B........................................................................................................................................................................................................

Total Packets: 89
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2025 15:14:01.408806086 CET	49672	443	192.168.2.5	204.79.197.203
Mar 21, 2025 15:14:05.259412050 CET	49676	443	192.168.2.5	20.189.173.14
Mar 21, 2025 15:14:05.564996958 CET	49676	443	192.168.2.5	20.189.173.14
Mar 21, 2025 15:14:06.174360991 CET	49676	443	192.168.2.5	20.189.173.14
Mar 21, 2025 15:14:06.221033096 CET	49672	443	192.168.2.5	204.79.197.203
Mar 21, 2025 15:14:07.377532005 CET	49676	443	192.168.2.5	20.189.173.14
Mar 21, 2025 15:14:09.783761978 CET	49676	443	192.168.2.5	20.189.173.14
Mar 21, 2025 15:14:14.675219059 CET	49676	443	192.168.2.5	20.189.173.14
Mar 21, 2025 15:14:15.831525087 CET	49672	443	192.168.2.5	204.79.197.203
Mar 21, 2025 15:14:17.458267927 CET	49727	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:14:17.458372116 CET	443	49727	142.251.40.196	192.168.2.5
Mar 21, 2025 15:14:17.458458900 CET	49727	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:14:17.458619118 CET	49727	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:14:17.458656073 CET	443	49727	142.251.40.196	192.168.2.5
Mar 21, 2025 15:14:17.662889957 CET	443	49727	142.251.40.196	192.168.2.5
Mar 21, 2025 15:14:17.662978888 CET	49727	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:14:17.664228916 CET	49727	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:14:17.664258957 CET	443	49727	142.251.40.196	192.168.2.5
Mar 21, 2025 15:14:17.664525986 CET	443	49727	142.251.40.196	192.168.2.5
Mar 21, 2025 15:14:17.705748081 CET	49727	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:14:19.182811022 CET	49728	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.182845116 CET	443	49728	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.183137894 CET	49728	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.183201075 CET	49729	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.183299065 CET	443	49729	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.183355093 CET	49728	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.183366060 CET	49729	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.183372974 CET	443	49728	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.183588028 CET	49729	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.183623075 CET	443	49729	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.388320923 CET	443	49728	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.388412952 CET	49728	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.389636993 CET	49728	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.389645100 CET	443	49728	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.389890909 CET	443	49728	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.390149117 CET	49728	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.391849041 CET	443	49729	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.391952991 CET	49729	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.392770052 CET	49729	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.392790079 CET	443	49729	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.393060923 CET	443	49729	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.432329893 CET	443	49728	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.442316055 CET	49729	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.644869089 CET	443	49728	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.644963980 CET	443	49728	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.645024061 CET	49728	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.645036936 CET	443	49728	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.645051956 CET	443	49728	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.645132065 CET	49728	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.645561934 CET	49728	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:19.645574093 CET	443	49728	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:19.750427961 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:19.750468016 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:19.750571966 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:19.750761986 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:19.750776052 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:19.941853046 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:19.941952944 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:19.943284035 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:19.943298101 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:19.943536997 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:19.944614887 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:19.992317915 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.182456017 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.197524071 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.197544098 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.197611094 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.197690964 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.197732925 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.197770119 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.220160007 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.220184088 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.220257044 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.220278025 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.220325947 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.262142897 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.287343025 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.287369013 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.287417889 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.287436962 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.287473917 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.287482023 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.297609091 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.297632933 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.297687054 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.297702074 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.297756910 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.297756910 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.310405970 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.310422897 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.310463905 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.310501099 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.310514927 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.310565948 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.354304075 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.354321957 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.354446888 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.354446888 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.354465961 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.354512930 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.373584032 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.373599052 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.373652935 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.373672962 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.373745918 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.384977102 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.384994984 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.385049105 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.385066032 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.385093927 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.385113955 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.385536909 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.385623932 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:20.385683060 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.385920048 CET	49730	443	192.168.2.5	185.199.108.133
Mar 21, 2025 15:14:20.385951996 CET	443	49730	185.199.108.133	192.168.2.5
Mar 21, 2025 15:14:22.914849043 CET	80	49693	23.203.176.221	192.168.2.5
Mar 21, 2025 15:14:22.915003061 CET	49693	80	192.168.2.5	23.203.176.221
Mar 21, 2025 15:14:22.915046930 CET	49693	80	192.168.2.5	23.203.176.221
Mar 21, 2025 15:14:23.007452965 CET	80	49693	23.203.176.221	192.168.2.5
Mar 21, 2025 15:14:23.533412933 CET	80	49695	23.203.176.221	192.168.2.5
Mar 21, 2025 15:14:23.535372019 CET	49695	80	192.168.2.5	23.203.176.221
Mar 21, 2025 15:14:23.567550898 CET	49695	80	192.168.2.5	23.203.176.221
Mar 21, 2025 15:14:23.658590078 CET	80	49695	23.203.176.221	192.168.2.5
Mar 21, 2025 15:14:24.284059048 CET	49676	443	192.168.2.5	20.189.173.14
Mar 21, 2025 15:14:24.487375021 CET	443	49729	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:24.487456083 CET	443	49729	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:24.487499952 CET	49729	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:24.503853083 CET	80	49694	23.203.176.221	192.168.2.5
Mar 21, 2025 15:14:24.503962040 CET	49694	80	192.168.2.5	23.203.176.221
Mar 21, 2025 15:14:24.509131908 CET	49694	80	192.168.2.5	23.203.176.221
Mar 21, 2025 15:14:24.599451065 CET	80	49694	23.203.176.221	192.168.2.5
Mar 21, 2025 15:14:25.551331043 CET	49729	443	192.168.2.5	140.82.113.3
Mar 21, 2025 15:14:25.551364899 CET	443	49729	140.82.113.3	192.168.2.5
Mar 21, 2025 15:14:26.782592058 CET	80	49696	23.203.176.221	192.168.2.5
Mar 21, 2025 15:14:26.782730103 CET	49696	80	192.168.2.5	23.203.176.221
Mar 21, 2025 15:14:26.782804012 CET	49696	80	192.168.2.5	23.203.176.221
Mar 21, 2025 15:14:26.878269911 CET	80	49696	23.203.176.221	192.168.2.5
Mar 21, 2025 15:14:27.073950052 CET	80	49706	23.203.176.221	192.168.2.5
Mar 21, 2025 15:14:27.074064016 CET	49706	80	192.168.2.5	23.203.176.221
Mar 21, 2025 15:14:27.668745041 CET	443	49727	142.251.40.196	192.168.2.5
Mar 21, 2025 15:14:27.668806076 CET	443	49727	142.251.40.196	192.168.2.5
Mar 21, 2025 15:14:27.668966055 CET	49727	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:14:29.548161983 CET	49727	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:14:29.548188925 CET	443	49727	142.251.40.196	192.168.2.5
Mar 21, 2025 15:14:54.521884918 CET	49701	443	192.168.2.5	23.219.82.16
Mar 21, 2025 15:14:54.522309065 CET	49706	80	192.168.2.5	23.203.176.221
Mar 21, 2025 15:15:17.410262108 CET	49743	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:15:17.410310984 CET	443	49743	142.251.40.196	192.168.2.5
Mar 21, 2025 15:15:17.410490036 CET	49743	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:15:17.410677910 CET	49743	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:15:17.410690069 CET	443	49743	142.251.40.196	192.168.2.5
Mar 21, 2025 15:15:17.623441935 CET	443	49743	142.251.40.196	192.168.2.5
Mar 21, 2025 15:15:17.623846054 CET	49743	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:15:17.623879910 CET	443	49743	142.251.40.196	192.168.2.5
Mar 21, 2025 15:15:27.625507116 CET	443	49743	142.251.40.196	192.168.2.5
Mar 21, 2025 15:15:27.625565052 CET	443	49743	142.251.40.196	192.168.2.5
Mar 21, 2025 15:15:27.625665903 CET	49743	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:15:29.551486969 CET	49743	443	192.168.2.5	142.251.40.196
Mar 21, 2025 15:15:29.551533937 CET	443	49743	142.251.40.196	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2025 15:14:13.332252026 CET	53	58189	1.1.1.1	192.168.2.5
Mar 21, 2025 15:14:13.355508089 CET	53	54497	1.1.1.1	192.168.2.5
Mar 21, 2025 15:14:13.916738033 CET	53	63545	1.1.1.1	192.168.2.5
Mar 21, 2025 15:14:14.035604954 CET	53	63309	1.1.1.1	192.168.2.5
Mar 21, 2025 15:14:17.347589016 CET	55631	53	192.168.2.5	1.1.1.1
Mar 21, 2025 15:14:17.347764015 CET	52009	53	192.168.2.5	1.1.1.1
Mar 21, 2025 15:14:17.455348015 CET	53	52009	1.1.1.1	192.168.2.5
Mar 21, 2025 15:14:17.457278967 CET	53	55631	1.1.1.1	192.168.2.5
Mar 21, 2025 15:14:19.078869104 CET	65301	53	192.168.2.5	1.1.1.1
Mar 21, 2025 15:14:19.079039097 CET	57387	53	192.168.2.5	1.1.1.1
Mar 21, 2025 15:14:19.181771994 CET	53	57387	1.1.1.1	192.168.2.5
Mar 21, 2025 15:14:19.182137966 CET	53	65301	1.1.1.1	192.168.2.5
Mar 21, 2025 15:14:19.649166107 CET	51610	53	192.168.2.5	1.1.1.1
Mar 21, 2025 15:14:19.649315119 CET	49510	53	192.168.2.5	1.1.1.1
Mar 21, 2025 15:14:19.749038935 CET	53	51610	1.1.1.1	192.168.2.5
Mar 21, 2025 15:14:19.749963999 CET	53	49510	1.1.1.1	192.168.2.5
Mar 21, 2025 15:14:31.105916023 CET	53	55587	1.1.1.1	192.168.2.5
Mar 21, 2025 15:14:50.104288101 CET	53	53315	1.1.1.1	192.168.2.5
Mar 21, 2025 15:15:08.524045944 CET	138	138	192.168.2.5	192.168.2.255
Mar 21, 2025 15:15:12.892694950 CET	53	62326	1.1.1.1	192.168.2.5
Mar 21, 2025 15:15:12.969240904 CET	53	55286	1.1.1.1	192.168.2.5
Mar 21, 2025 15:15:15.716344118 CET	53	49416	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 21, 2025 15:14:17.347589016 CET	192.168.2.5	1.1.1.1	0xa9c0	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 21, 2025 15:14:17.347764015 CET	192.168.2.5	1.1.1.1	0xc80c	Standard query (0)	www.google.com	65	IN (0x0001)	false
Mar 21, 2025 15:14:19.078869104 CET	192.168.2.5	1.1.1.1	0x5851	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Mar 21, 2025 15:14:19.079039097 CET	192.168.2.5	1.1.1.1	0x22ae	Standard query (0)	github.com	65	IN (0x0001)	false
Mar 21, 2025 15:14:19.649166107 CET	192.168.2.5	1.1.1.1	0x372a	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Mar 21, 2025 15:14:19.649315119 CET	192.168.2.5	1.1.1.1	0xc0be	Standard query (0)	raw.githubusercontent.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 21, 2025 15:14:17.455348015 CET	1.1.1.1	192.168.2.5	0xc80c	No error (0)	www.google.com		65	IN (0x0001)	false
Mar 21, 2025 15:14:17.457278967 CET	1.1.1.1	192.168.2.5	0xa9c0	No error (0)	www.google.com	142.251.40.196	A (IP address)	IN (0x0001)	false
Mar 21, 2025 15:14:19.182137966 CET	1.1.1.1	192.168.2.5	0x5851	No error (0)	github.com	140.82.113.3	A (IP address)	IN (0x0001)	false
Mar 21, 2025 15:14:19.749038935 CET	1.1.1.1	192.168.2.5	0x372a	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Mar 21, 2025 15:14:19.749038935 CET	1.1.1.1	192.168.2.5	0x372a	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Mar 21, 2025 15:14:19.749038935 CET	1.1.1.1	192.168.2.5	0x372a	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Mar 21, 2025 15:14:19.749038935 CET	1.1.1.1	192.168.2.5	0x372a	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

raw.githubusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49728	140.82.113.3	443	6824	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-21 14:14:19 UTC	783	OUT	GET /rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll HTTP/1.1 Host: github.com Connection: keep-alive sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-21 14:14:19 UTC	653	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Fri, 21 Mar 2025 14:14:19 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: Location: https://raw.githubusercontent.com/rapid7/metasploit-framework/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2025-03-21 14:14:19 UTC	3370	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.githu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49730	185.199.108.133	443	6824	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-21 14:14:19 UTC	794	OUT	GET /rapid7/metasploit-framework/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll HTTP/1.1 Host: raw.githubusercontent.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-21 14:14:20 UTC	893	IN	HTTP/1.1 200 OK Connection: close Content-Length: 132096 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream ETag: "d305f340c34aad472b8676a4a79b0cf507087d6b68324655ae9637979324d544" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 1B08:12F2C:20A8D8:28BAB1:67DD743B Accept-Ranges: bytes Date: Fri, 21 Mar 2025 14:14:20 GMT Via: 1.1 varnish X-Served-By: cache-lga21949-LGA X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1742566460.064831,VS0,VE68 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: af42e32257e36126ef2b736033b38816a36deb97 Expires: Fri, 21 Mar 2025 14:19:20 GMT Source-Age: 0
2025-03-21 14:14:20 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 64 d6 e0 d9 20 b7 8e 8a 20 b7 8e 8a 20 b7 8e 8a 7b df 8a 8b 2a b7 8e 8a 7b df 8d 8b 25 b7 8e 8a 7b df 8b 8b a5 b7 8e 8a d8 c7 8b 8b 00 b7 8e 8a d8 c7 8a 8b 2e b7 8e 8a d8 c7 8d 8b 29 b7 8e 8a 7b df 8f 8b 27 b7 8e 8a 20 b7 8f 8a 47 b7 8e 8a e0 c6 87 8b 22 b7 8e 8a e0 c6 8e 8b 21 b7 8e 8a e0 c6 71 8a 21 b7 8e 8a e0 c6 8c 8b 21 b7 8e 8a 52 69 63 68 20 b7 8e 8a 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$d {*{%{.){' G"!q!!Rich
2025-03-21 14:14:20 UTC	16384	IN	Data Raw: 68 48 8b 85 58 04 00 00 48 89 45 80 4c 89 65 90 44 89 65 98 66 44 89 65 a0 44 89 65 b0 44 88 65 b4 4c 89 a5 b8 03 00 00 4c 89 a5 c0 03 00 00 4c 89 7c 24 60 48 89 5c 24 78 44 89 a5 d0 03 00 00 e8 f3 07 00 00 48 63 d8 48 85 f6 74 49 41 f6 c7 01 74 22 48 85 ff 75 08 85 c0 0f 85 84 00 00 00 48 8b 44 24 30 48 3b c7 75 28 85 db 78 28 48 3b df 76 23 eb 6f 4d 85 f6 74 65 48 85 ff 74 17 85 c0 79 05 44 88 26 eb 0e 48 8b 44 24 30 48 3b c7 74 66 44 88 24 06 48 8b 8d c0 03 00 00 e8 b6 43 00 00 4c 89 a5 c0 03 00 00 44 38 64 24 58 74 0c 48 8b 4c 24 40 83 a1 a8 03 00 00 fd 8b c3 48 8b 8d e0 03 00 00 48 33 cc e8 b3 db ff ff 48 81 c4 f0 04 00 00 41 5f 41 5e 41 5c 5f 5e 5b 5d c3 48 85 ff 75 05 83 cb ff eb ad 48 8b 44 24 30 48 3b c7 75 9f bb fe ff ff ff 44 88 64 37 ff eb 97 Data Ascii: hHXHELeDefDeDeDeLLL\|$`H\$xDHcHtIAt"HuHD$0H;u(x(H;v#oMteHtyD&HD$0H;tfD$HCLD8d$XtHL$@HH3HA_A^A\_^[]HuHD$0H;uDd7
2025-03-21 14:14:20 UTC	16384	IN	Data Raw: 84 c0 74 4e 48 f7 c1 07 00 00 00 75 e3 49 bb 80 80 80 80 80 80 80 80 49 ba ff fe fe fe fe fe fe fe 8d 04 0a 25 ff 0f 00 00 3d f8 0f 00 00 77 c0 48 8b 01 48 3b 04 0a 75 b7 48 83 c1 08 49 83 e8 08 76 0f 4d 8d 0c 02 48 f7 d0 49 23 c1 49 85 c3 74 cf 33 c0 c3 48 1b c0 48 83 c8 01 c3 cc cc cc 4d 85 c0 75 18 33 c0 c3 0f b7 01 66 85 c0 74 13 66 3b 02 75 0e 48 83 c1 02 48 83 c2 02 49 83 e8 01 75 e5 0f b7 01 0f b7 0a 2b c1 c3 40 53 48 83 ec 20 4c 8b c2 48 8b d9 48 85 c9 74 0e 33 d2 48 8d 42 e0 48 f7 f3 49 3b c0 72 43 49 0f af d8 b8 01 00 00 00 48 85 db 48 0f 44 d8 eb 15 e8 8a 4b 00 00 85 c0 74 28 48 8b cb e8 2a e6 ff ff 85 c0 74 1c 48 8b 0d 27 7f 01 00 4c 8b c3 ba 08 00 00 00 ff 15 61 b3 00 00 48 85 c0 74 d1 eb 0d e8 45 03 00 00 c7 00 0c 00 00 00 33 c0 48 83 c4 20 Data Ascii: tNHuII%=wHH;uHIvMHI#It3HHMu3ftf;uHHIu+@SH LHHt3HBHI;rCIHHDKt(H*tH'LaHtE3H
2025-03-21 14:14:20 UTC	16384	IN	Data Raw: d9 4c 8d 0d b8 98 00 00 b9 1c 00 00 00 4c 8d 05 a8 98 00 00 48 8d 15 a5 98 00 00 e8 00 fe ff ff 48 85 c0 74 16 48 8b d3 48 c7 c1 fa ff ff ff 48 83 c4 20 5b 48 ff 25 9d 76 00 00 b8 25 02 00 c0 48 83 c4 20 5b c3 cc cc 48 83 ec 28 4c 8d 0d f9 97 00 00 33 c9 4c 8d 05 ec 97 00 00 48 8d 15 ed 97 00 00 e8 b8 fd ff ff 48 85 c0 74 0b 48 83 c4 28 48 ff 25 60 76 00 00 b8 01 00 00 00 48 83 c4 28 c3 cc cc 40 53 48 83 ec 20 48 8b d9 4c 8d 0d d4 97 00 00 b9 03 00 00 00 4c 8d 05 c0 97 00 00 48 8d 15 09 86 00 00 e8 74 fd ff ff 48 85 c0 74 0f 48 8b cb 48 83 c4 20 5b 48 ff 25 18 76 00 00 48 83 c4 20 5b 48 ff 25 c4 74 00 00 40 53 48 83 ec 20 8b d9 4c 8d 0d 95 97 00 00 b9 04 00 00 00 4c 8d 05 81 97 00 00 48 8d 15 da 85 00 00 e8 2d fd ff ff 8b cb 48 85 c0 74 0c 48 83 c4 20 5b Data Ascii: LLHHtHHH [H%v%H [H(L3LHHtH(H%`vH(@SH HLLHtHtHH [H%vH [H%t@SH LLH-HtH [
2025-03-21 14:14:20 UTC	16384	IN	Data Raw: 4c 8b c3 41 8b ce 85 c0 75 65 21 54 24 28 48 21 54 24 20 e8 d4 bb ff ff 8b f8 85 c0 75 60 48 8d 4b f0 81 39 dd dd 00 00 75 05 e8 29 84 ff ff 33 ff 48 85 f6 74 11 48 8d 4e f0 81 39 dd dd 00 00 75 05 e8 11 84 ff ff 8b c7 48 8b 4d 08 48 33 cd e8 2b 1c ff ff 48 8b 5d 40 48 8b 75 48 48 8b 7d 50 48 8d 65 10 41 5f 41 5e 41 5d 41 5c 5d c3 89 44 24 28 48 8b 45 68 48 89 44 24 20 eb 95 48 8d 4b f0 81 39 dd dd 00 00 75 a7 e8 c9 83 ff ff eb a0 cc cc cc 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 70 48 8b f2 49 8b d9 48 8b d1 41 8b f8 48 8d 4c 24 50 e8 2f 45 ff ff 8b 84 24 c0 00 00 00 48 8d 4c 24 58 89 44 24 40 4c 8b cb 8b 84 24 b8 00 00 00 44 8b c7 89 44 24 38 48 8b d6 8b 84 24 b0 00 00 00 89 44 24 30 48 8b 84 24 a8 00 00 00 48 89 44 24 28 8b 84 24 a0 00 00 00 89 44 24 Data Ascii: LAue!T$(H!T$ u`HK9u)3HtHN9uHMH3+H]@HuHH}PHeA_A^A]A\]D$(HEhHD$ HK9uH\$Ht$WHpHIHAHL$P/E$HL$XD$@L$DD$8H$D$0H$HD$($D$
2025-03-21 14:14:20 UTC	16384	IN	Data Raw: 60 76 69 72 74 75 61 6c 20 64 69 73 70 6c 61 63 65 6d 65 6e 74 20 6d 61 70 27 00 00 00 00 00 00 60 65 68 20 76 65 63 74 6f 72 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 00 00 00 00 00 00 60 65 68 20 76 65 63 74 6f 72 20 64 65 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 60 65 68 20 76 65 63 74 6f 72 20 76 62 61 73 65 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 61 74 6f 72 27 00 00 60 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 63 6c 6f 73 75 72 65 27 00 00 00 00 00 00 60 75 64 74 20 72 65 74 75 72 6e 69 6e 67 27 00 60 45 48 00 60 52 54 54 49 00 00 00 00 00 00 00 60 6c 6f 63 61 6c 20 76 66 74 61 62 6c 65 27 00 60 6c 6f 63 61 6c 20 76 66 74 61 62 6c 65 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 63 6c 6f 73 Data Ascii: `virtual displacement map'`eh vector constructor iterator'`eh vector destructor iterator'`eh vector vbase constructor iterator'`copy constructor closure'`udt returning'`EH`RTTI`local vftable'`local vftable constructor clos
2025-03-21 14:14:20 UTC	16384	IN	Data Raw: 41 00 00 00 00 00 00 00 73 00 6d 00 6a 00 2d 00 4e 00 4f 00 00 00 00 00 61 00 72 00 2d 00 44 00 5a 00 00 00 00 00 00 00 7a 00 68 00 2d 00 4d 00 4f 00 00 00 00 00 00 00 64 00 65 00 2d 00 4c 00 49 00 00 00 00 00 00 00 65 00 6e 00 2d 00 4e 00 5a 00 00 00 00 00 00 00 65 00 73 00 2d 00 43 00 52 00 00 00 00 00 00 00 66 00 72 00 2d 00 4c 00 55 00 00 00 00 00 00 00 62 00 73 00 2d 00 42 00 41 00 2d 00 4c 00 61 00 74 00 6e 00 00 00 00 00 73 00 6d 00 6a 00 2d 00 53 00 45 00 00 00 00 00 61 00 72 00 2d 00 4d 00 41 00 00 00 00 00 00 00 65 00 6e 00 2d 00 49 00 45 00 00 00 00 00 00 00 65 00 73 00 2d 00 50 00 41 00 00 00 00 00 00 00 66 00 72 00 2d 00 4d 00 43 00 00 00 00 00 00 00 73 00 72 00 2d 00 42 00 41 00 2d 00 4c 00 61 00 74 00 6e 00 00 00 00 00 73 00 6d 00 61 00 2d Data Ascii: Asmj-NOar-DZzh-MOde-LIen-NZes-CRfr-LUbs-BA-Latnsmj-SEar-MAen-IEes-PAfr-MCsr-BA-Latnsma-
2025-03-21 14:14:20 UTC	16384	IN	Data Raw: 6a 22 00 00 d0 cd 01 00 21 00 00 00 43 20 00 00 d9 20 00 00 bc cd 01 00 21 00 00 00 15 1d 00 00 43 20 00 00 a4 cd 01 00 21 00 00 00 90 1c 00 00 15 1d 00 00 88 cd 01 00 01 16 04 00 16 52 12 70 11 60 10 30 00 00 00 00 01 00 00 00 11 15 08 00 15 74 09 00 15 64 07 00 15 34 06 00 15 32 11 e0 6c 38 00 00 02 00 00 00 34 29 00 00 a3 29 00 00 b0 39 01 00 00 00 00 00 06 2a 00 00 11 2a 00 00 b0 39 01 00 00 00 00 00 01 06 02 00 06 32 02 50 11 0a 04 00 0a 34 08 00 0a 52 06 70 6c 38 00 00 04 00 00 00 4b 2a 00 00 6a 2a 00 00 c7 39 01 00 00 00 00 00 40 2a 00 00 82 2a 00 00 e0 39 01 00 00 00 00 00 8b 2a 00 00 96 2a 00 00 c7 39 01 00 00 00 00 00 8b 2a 00 00 97 2a 00 00 e0 39 01 00 00 00 00 00 09 1a 06 00 1a 34 0f 00 1a 72 16 e0 14 70 13 60 6c 38 00 00 01 00 00 00 cd 2a 00 Data Ascii: j"!C !C !Rp`0td42l84))9*92P4Rpl8Kj9@9994rp`l8
2025-03-21 14:14:20 UTC	1024	IN	Data Raw: a8 a3 b8 a3 c8 a3 d8 a3 e8 a3 f8 a3 08 a4 18 a4 28 a4 38 a4 48 a4 58 a4 68 a4 78 a4 88 a4 98 a4 a8 a4 b8 a4 c8 a4 d8 a4 e8 a4 f8 a4 08 a5 18 a5 28 a5 38 a5 00 90 01 00 d0 01 00 00 60 a1 70 a1 80 a1 90 a1 a0 a1 b0 a1 c0 a1 d0 a1 e0 a1 f0 a1 00 a2 10 a2 20 a2 30 a2 40 a2 50 a2 60 a2 70 a2 80 a2 90 a2 a0 a2 b0 a2 c0 a2 d0 a2 e0 a2 f0 a2 00 a3 10 a3 20 a3 30 a3 40 a3 50 a3 60 a3 70 a3 80 a3 90 a3 a0 a3 b0 a3 c0 a3 d0 a3 e0 a3 f0 a3 00 a4 10 a4 20 a4 30 a4 40 a4 50 a4 60 a4 70 a4 80 a4 90 a4 a0 a4 b0 a4 c0 a4 d0 a4 e0 a4 f0 a4 00 a5 10 a5 20 a5 30 a5 40 a5 50 a5 60 a5 70 a5 80 a5 90 a5 a0 a5 b0 a5 c0 a5 d0 a5 e0 a5 f0 a5 00 a6 10 a6 20 a6 30 a6 40 a6 50 a6 60 a6 70 a6 80 a6 90 a6 a0 a6 b0 a6 c0 a6 d0 a6 e0 a6 f0 a6 00 a7 10 a7 20 a7 30 a7 40 a7 50 a7 60 a7 70 Data Ascii: (8HXhx(8`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

Target ID:	5
Start time:	10:14:05
Start date:	21/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff641030000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	10:14:11
Start date:	21/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,11290067482746258853,114400927890450164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2072 /prefetch:3
Imagebase:	0x7ff641030000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:14:14
Start date:	21/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2040,i,11290067482746258853,114400927890450164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5096 /prefetch:8
Imagebase:	0x7ff641030000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	10:14:17
Start date:	21/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll"
Imagebase:	0x7ff641030000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Downloads\Unconfirmed 826706.crdownload

Chrome Cache Entry: 91

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6220, Parent PID: 3440

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted

Key Value Deleted

COM Activities

WMI Operations

Windows Analysis Report
https://github.com/rapid7/metasploit-framework/raw/c7c0047ea2407acd2b6c1b0c16fc503737d23c37/data/exploits/CVE-2024-30085/cve-202430085-dll.dll