Injection into (trusted/email client) process

[thae 9]

Hello everyone,

I'm only testing Inspect on about 20 PCs, and only on one PC I have constantly the following events:

1. Injection into trusted process [F0414b][C]
   Trigger Event: %PROGRAMFILES(X86)%\microsoft office\office15\excel.exe
   Executables: dwm.exe, compattelrunner.exe, wmiprvse.exe, msedge.exe and some more
2. Injection into email client process [F0417][C]
   Trigger Event: %PROGRAMFILES(X86)%\microsoft office\office15\outlook.exe and some more
   Executables: microsoft.photos.exe, runtimebroker.exe, wermgr.exe

It's only this one PC and all of the executables are legitimate (mostly windows) programs. What can I do to make it stop beside setting exclusions for only this one PC. Every other PC has Outlook and Excel too but there are no events from them.

 

 

[Jamil-soc 4]

Can you provide a screenshot of the detection? Which version of Windows OS is the system running?

Edited February 14, 2023 by Jamil-soc

[thae 9]

The system is running the latest W10 22H2.

Here is the screenshot from the executable:

and the one from the triggered event:

The events from today only have excel with the same LNK file path, but in the past there were triggered events from excel and word with no LNK file path given.

I thought maybe it would only trigger on this one link, but nope.