taskhostw.exe tries to delete MsoIrmProtector.doc

  • Thread starter Thread starter Ceyhun Kıvanç Demir
  • Start date Start date
C

Ceyhun Kıvanç Demir

Guest
Hello, I'm a SOC Analyst We have recieved a block alert in our EDR about a windows11 pro got block on taskhostw.exe however I couldn't find any resource or document about that its a natural behavior of windows. We also accrossed this behavior in 2 devices between 1500 devices which made me more suspicious on this caseparentchild process is belowwininit.exe > services.exe > svchost.exe (with arguements -k netsvcs -p -s Schedule) > taskhostw.exe --- attempts to delete --> MsoIrmProtector.docI have checked the hashes of all process in tree in case of a malicious program copies name,

Continue reading...
 
Back
Top