Technical Information
- <SYSTEM32>\tasks\phconhost
- %ALLUSERSPROFILE%\runtimebroker.exe
- %ALLUSERSPROFILE%\windows\runtime broker.exe
- %ALLUSERSPROFILE%\runtimebroker.exe
- %ALLUSERSPROFILE%\windows\runtime broker.exe
- 'f0####77.xsph.ru':80
- http://f0####77.xsph.ru/txt.txt
- http://f0####77.xsph.ru/ConHost.exe
- http://f0####77.xsph.ru/Lite.exe
- DNS ASK f0####77.xsph.ru
- '%ALLUSERSPROFILE%\runtimebroker.exe'
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /tn PHconhost /tr %ALLUSERSPROFILE%\RuntimeBroker.exe /sc minute /mo 1' (with hidden window)
- '%ALLUSERSPROFILE%\runtimebroker.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /tn PHconhost /tr %ALLUSERSPROFILE%\RuntimeBroker.exe /sc minute /mo 1
- '%WINDIR%\syswow64\schtasks.exe' /create /tn PHconhost /tr %ALLUSERSPROFILE%\RuntimeBroker.exe /sc minute /mo 1
- '<SYSTEM32>\taskeng.exe' {8525C2C3-B4C5-4C44-8A1F-9BB2A51F7521} S-1-5-21-1960123792-2022915161-3775307078-1001:dlyznqktsx\user:Interactive:[1]