network – Find the process that queries a malicious domain every 2 minutes!

I found suspicious traffic on a client a few days ago.
A process in the client queries a malicious domain every 2 minutes.
The domain is "hostingcloud.science" that hosts a js for the mining of currencies
enter the description of the image here

I checked the client with procmon and found the traffic sent by svchost.exe

enter the description of the image here

And also with netstat it was the same:

enter the description of the image here

Now I have some questions:

  1. What is the meaning of "Dnscache" in the netstat result? why it does not stop after ipconfig / flushdns
  2. Why does the client consult that domain continuously but I do not have traffic with the domain?
  3. How to find the root cause?

Ps: I checked the client with two different AV and it was clean, I only know that the client has visited a website that contains a js with that domain a few days ago.