Technical Information
- <SYSTEM32>\tasks\winhoststartformachine
- %PROGRAMDATA%\winhost.exe
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
- <Full path to file>
- %PROGRAMDATA%\winhost.exe
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- DNS ASK ip###ger.com
- '%PROGRAMDATA%\winhost.exe'
- '%WINDIR%\syswow64\schtasks.exe' /Create /SC MINUTE /MO 1 /TN WinHostStartForMachine /TR %PROGRAMDATA%\winhost.exe' (with hidden window)
- '%PROGRAMDATA%\winhost.exe' ' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /Create /SC MINUTE /MO 1 /TN WinHostStartForMachine /TR %PROGRAMDATA%\winhost.exe
- '<SYSTEM32>\taskeng.exe' {16BD837D-0D4F-4B24-996E-B382365D8E65} S-1-5-21-1960123792-2022915161-3775307078-1001:jxurfqfo\user:Interactive:[1]