2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe
Size

983KB
MD5

49c0aad18bba1e7201f3b007069aa970
SHA1

e1b1377359856bad574cd5423dab0d5eafd8688e
SHA256

2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764
SHA512

129895eb1604e4614bd76d702b37cd5c2605f436ed68b6e9df199f24439fa7240ea7e7c83af161d58f8eace6f9c1f335e71772842a17fc01f1c7e59e7de40237
SSDEEP

24576:Lo51Bzf+FtmlnkAK/yEl7qrraXbM94YM:+o/FluraLo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4588	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	86
PID 4492 wrote to memory of 4588	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	86
PID 4588 wrote to memory of 1040	4588	cmd.exe	88
PID 4588 wrote to memory of 1040	4588	cmd.exe	88
PID 4492 wrote to memory of 2020	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	89
PID 4492 wrote to memory of 2020	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	89
PID 4492 wrote to memory of 3472	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	90
PID 4492 wrote to memory of 3472	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	90
PID 4492 wrote to memory of 876	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	94
PID 4492 wrote to memory of 876	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	94
PID 4492 wrote to memory of 2840	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	98
PID 4492 wrote to memory of 2840	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	98
PID 4492 wrote to memory of 1424	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	100
PID 4492 wrote to memory of 1424	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	100
PID 2840 wrote to memory of 3448	2840	cmd.exe	102
PID 2840 wrote to memory of 3448	2840	cmd.exe	102
PID 1424 wrote to memory of 2888	1424	cmd.exe	103
PID 1424 wrote to memory of 2888	1424	cmd.exe	103
PID 4492 wrote to memory of 2028	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	105
PID 4492 wrote to memory of 2028	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	105
PID 2028 wrote to memory of 3448	2028	cmd.exe	107
PID 2028 wrote to memory of 3448	2028	cmd.exe	107
PID 4492 wrote to memory of 4476	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	108
PID 4492 wrote to memory of 4476	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	108
PID 4492 wrote to memory of 1660	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	112
PID 4492 wrote to memory of 1660	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	112
PID 1660 wrote to memory of 5132	1660	cmd.exe	114
PID 1660 wrote to memory of 5132	1660	cmd.exe	114
PID 4492 wrote to memory of 5152	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	115
PID 4492 wrote to memory of 5152	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	115
PID 4492 wrote to memory of 5256	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	117
PID 4492 wrote to memory of 5256	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	117
PID 5256 wrote to memory of 5308	5256	cmd.exe	119
PID 5256 wrote to memory of 5308	5256	cmd.exe	119
PID 4492 wrote to memory of 5324	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	120
PID 4492 wrote to memory of 5324	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	120
PID 4492 wrote to memory of 5412	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	122
PID 4492 wrote to memory of 5412	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	122
PID 5412 wrote to memory of 5464	5412	cmd.exe	124
PID 5412 wrote to memory of 5464	5412	cmd.exe	124
PID 4492 wrote to memory of 5488	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	125
PID 4492 wrote to memory of 5488	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	125
PID 4492 wrote to memory of 5564	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	127
PID 4492 wrote to memory of 5564	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	127
PID 5564 wrote to memory of 5616	5564	cmd.exe	129
PID 5564 wrote to memory of 5616	5564	cmd.exe	129
PID 4492 wrote to memory of 5636	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	130
PID 4492 wrote to memory of 5636	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	130
PID 4492 wrote to memory of 5792	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	133
PID 4492 wrote to memory of 5792	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	133
PID 5792 wrote to memory of 5844	5792	cmd.exe	135
PID 5792 wrote to memory of 5844	5792	cmd.exe	135
PID 4492 wrote to memory of 5864	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	136
PID 4492 wrote to memory of 5864	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	136
PID 4492 wrote to memory of 6084	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	140
PID 4492 wrote to memory of 6084	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	140
PID 6084 wrote to memory of 6136	6084	cmd.exe	142
PID 6084 wrote to memory of 6136	6084	cmd.exe	142
PID 4492 wrote to memory of 5132	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	143
PID 4492 wrote to memory of 5132	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	143
PID 4492 wrote to memory of 2744	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	145
PID 4492 wrote to memory of 2744	4492	2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe	145
PID 2744 wrote to memory of 1572	2744	cmd.exe	147
PID 2744 wrote to memory of 1572	2744	cmd.exe	147

C:\Users\Admin\AppData\Local\Temp\2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f6c72e157e6434ddbc6114c98921d44f073866b8f23d4c3ce0f01914aeac764_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:1040
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:2020
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:3472
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:3448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:2888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:3448
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:5132
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5256
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:5308
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5412
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:5464
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5564
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:5616
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5792
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:5844
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6084
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:6136
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:1572
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:4164
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:5296
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:5244
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:3796
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:2388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:5448
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:5512
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:5592
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:5636
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4792
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:4676
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:1416
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:1800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:4472
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:2892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:856
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:4464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:2868
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:2268
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:4664
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:212
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:3800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:860
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:3128
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:2324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:3412
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:1120
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:1140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:4984
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:1772
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:2548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:1920
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:2944
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:2240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:868
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:2940
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:1856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:5084
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:2016
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:3600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:4948
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:4080
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:2004
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:2104
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:4212
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:3412
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:2756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:3992
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:1800
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:968
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:3516
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:3944
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:2996
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:5248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:5648
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:4704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:764
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:6056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:4236
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:1472
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:1852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:4104
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:224
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C arp -a
  2⤵
  PID:4080
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:2476
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4492-0-0x00007FFA30AA5000-0x00007FFA30AA6000-memory.dmp

Filesize
4KB

Download
memory/4492-2-0x000000001C540000-0x000000001CA0E000-memory.dmp

Filesize
4.8MB

Download
memory/4492-1-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-3-0x000000001BFA0000-0x000000001C03C000-memory.dmp

Filesize
624KB

Download
memory/4492-4-0x00000000019D0000-0x00000000019D8000-memory.dmp

Filesize
32KB

Download
memory/4492-5-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-6-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-7-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-8-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-9-0x00000000200C0000-0x0000000020122000-memory.dmp

Filesize
392KB

Download
memory/4492-10-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-11-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-12-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-13-0x00007FFA30AA5000-0x00007FFA30AA6000-memory.dmp

Filesize
4KB

Download
memory/4492-14-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-15-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-16-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-17-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-18-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download
memory/4492-19-0x00007FFA307F0000-0x00007FFA31191000-memory.dmp

Filesize
9.6MB

Download