I found suspicious traffic on a client a few days ago.
A process in the client queries a malicious domain every 2 minutes.
The domain is "hostingcloud.science" that hosts a js for the mining of currencies
I checked the client with procmon and found the traffic sent by svchost.exe
And also with netstat it was the same:
Now I have some questions:
- What is the meaning of "Dnscache" in the netstat result? why it does not stop after
ipconfig / flushdns
- Why does the client consult that domain continuously but I do not have traffic with the domain?
- How to find the root cause?
Ps: I checked the client with two different AV and it was clean, I only know that the client has visited a website that contains a js with that domain a few days ago.