Technical Information
- <SYSTEM32>\tasks\winhoststartformachine
- %PROGRAMDATA%\winhost.exe
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
- <Full path to file>
- %PROGRAMDATA%\winhost.exe
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- DNS ASK ip###ger.com
- DNS ASK po##.#inexmr.com
- ClassName: '' WindowName: 'Process Hacker [xipzilg\user]'
- '%PROGRAMDATA%\winhost.exe'
- '%WINDIR%\syswow64\schtasks.exe' /Create /SC MINUTE /MO 1 /TN WinHostStartForMachine /TR %PROGRAMDATA%\winhost.exe' (with hidden window)
- '%PROGRAMDATA%\winhost.exe' ' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /Create /SC MINUTE /MO 1 /TN WinHostStartForMachine /TR %PROGRAMDATA%\winhost.exe
- '<SYSTEM32>\taskeng.exe' {72E9B1BA-3C16-421F-9292-26994B593B1D} S-1-5-21-1960123792-2022915161-3775307078-1001:xipzilg\user:Interactive:[1]