C
Ceyhun Kıvanç Demir
Guest
Hello, I'm a SOC Analyst We have recieved a block alert in our EDR about a windows11 pro got block on taskhostw.exe however I couldn't find any resource or document about that its a natural behavior of windows. We also accrossed this behavior in 2 devices between 1500 devices which made me more suspicious on this caseparentchild process is belowwininit.exe > services.exe > svchost.exe (with arguements -k netsvcs -p -s Schedule) > taskhostw.exe --- attempts to delete --> MsoIrmProtector.docI have checked the hashes of all process in tree in case of a malicious program copies name,
Continue reading...
Continue reading...