Technical Information
- <SYSTEM32>\tasks\winhoststartformachne
- %PROGRAMDATA%\winhost.exe
- <Full path to file>
- %PROGRAMDATA%\winhost.exe
- 'ip###ger.com':443
- 'po##.#upportxmr.com':3333
- DNS ASK ip###ger.com
- DNS ASK po##.#upportxmr.com
- DNS ASK public-trust.com
- ClassName: '' WindowName: 'Process Hacker [afqpeovfhv\user]'
- '%PROGRAMDATA%\winhost.exe'
- '<SYSTEM32>\schtasks.exe' /Create /SC MINUTE /MO 1 /TN WinHostStartForMachne /TR %PROGRAMDATA%\winhost.exe' (with hidden window)
- '%PROGRAMDATA%\winhost.exe' ' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /Create /SC MINUTE /MO 1 /TN WinHostStartForMachne /TR %PROGRAMDATA%\winhost.exe
- '<SYSTEM32>\taskeng.exe' {8770E531-E3A4-4D9D-8864-1717F3CB65D2} S-1-5-21-1960123792-2022915161-3775307078-1001:afqpeovfhv\user:Interactive:[1]