Technical Information
- <SYSTEM32>\tasks\winhoststartformachne
- %PROGRAMDATA%\winhost.exe
- <Full path to file>
- %PROGRAMDATA%\winhost.exe
- '18#.#46.153.100':3333
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- DNS ASK ip###ger.com
- DNS ASK microsoft.com
- ClassName: '' WindowName: 'Process Hacker [hrbhibtvk\user]'
- '%PROGRAMDATA%\winhost.exe'
- '%WINDIR%\syswow64\schtasks.exe' /Create /SC MINUTE /MO 1 /TN WinHostStartForMachne /TR %PROGRAMDATA%\winhost.exe' (with hidden window)
- '%PROGRAMDATA%\winhost.exe' ' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /Create /SC MINUTE /MO 1 /TN WinHostStartForMachne /TR %PROGRAMDATA%\winhost.exe
- '<SYSTEM32>\taskeng.exe' {DB207965-0F75-448F-A2EE-4C5DD6D9F9D6} S-1-5-21-1960123792-2022915161-3775307078-1001:hrbhibtvk\user:Interactive:[1]