Recently my windows defender warned me about a possibly malicious program it found on my pc. I have trouble interpreting the data windows defender serves me and I haven't found any microsoft documentation regarding the processStart value.
The reports of windows defender are as following (my output is in dutch so I translated it to english):
1. Solution insufficient:
Detected: HackTool:Win32/Wpakill.AR!MTB
Status: Failure
This threat or this application may not be fully restored.
Date: 9-2-2022 20:01
Details: This program may show unwanted behaviour
Items involved:
process: pid:7576,ProcessStart:132889069092372720
2. Threat removed or restored:
Detected: HackTool:Win32/Wpakill.AR!MTB
Status: Removed or returned
This threat or app has been deleted from quarantaine or restored to the computer
Date: 9-2-2022 20:01
Details: This program may show unwanted behaviour
Items involved:
process: pid:708,ProcessStart:132889068914364653
Now, putting "HackTool:Win32/Wpakill.AR!MTB" into google, the true severity of my problem remains a little vague. The actual payload may or may not have been ran. This may or may not have dangerous effects on your OS. However my computer does suffer from weird symptoms like slow startup time, random crashes, CPU spikes, slow application responses. This has been the case for several years now, despite my regular malwarebytes scans and CHKDSK operations, so it's a bit difficult to link this to any specific event.
I have traced the PIDS with tasklist.
tasklist /FI "PID eq 7576"
>>> no tasks are running with the specified criteria
tasklist /FI "PID eq 708"
>>> Imagename: SystemSettingsBroker.exe, PID: 708, Session: Console, Session#: 1, Mem usage: 29.324 K
Checking SystemSettingsBroker.exe file properties, it does indeed show to have the microsoft SHA-256 verified signature.
I have searched on google for:
- Windows defender how to interprete startProcess
- Windows defender startProcess
- Windows defender item specification
- Windows defender startProcess item specification
My interpretation of stuff I have found online leads me to believe that the processStart is an entry to an event. I opened my eventviewer and searched all the logs at the specified date from windows defender, but couldn't find any irregularities. Then I tried querying the logs for the entry id using:
wevtutil qe Application /q:132889069092372720
>>> None
wevtutil qe Security /q:132889069092372720
>>> None
wevtutil qe System /q:132889069092372720
>>>None
Highly probable that I am using these commands wrongly. However I fear I may be too unexperienced to trace this issue any further without help. Can anybody give me a hint about how to trace this magical value of processStart offered by windows defender?
