Jump to content

Injection into (trusted/email client) process


Recommended Posts

Hello everyone,

I'm only testing Inspect on about 20 PCs, and only on one PC I have constantly the following events:

  1. Injection into trusted process [F0414b][C]
    Trigger Event: %PROGRAMFILES(X86)%\microsoft office\office15\excel.exe
    Executables: dwm.exe, compattelrunner.exe, wmiprvse.exe, msedge.exe
    and some more
  2. Injection into email client process [F0417][C]
    Trigger Event:
    %PROGRAMFILES(X86)%\microsoft office\office15\outlook.exe and some more
    Executables: microsoft.photos.exe, runtimebroker.exe, wermgr.exe

It's only this one PC and all of the executables are legitimate (mostly windows) programs. What can I do to make it stop beside setting exclusions for only this one PC. Every other PC has Outlook and Excel too but there are no events from them.

 

 

Link to comment
Share on other sites

Can you provide a screenshot of the detection? Which version of Windows OS is the system running?

Edited by Jamil-soc
Link to comment
Share on other sites

The system is running the latest W10 22H2.

Here is the screenshot from the executable:

image.png.0fd1a417d22b04f294f9cadcef18e778.png

and the one from the triggered event:

image.png.3e8b0baaefdf6ad302f4cbbf3466e780.png

The events from today only have excel with the same LNK file path, but in the past there were triggered events from excel and word with no LNK file path given.

I thought maybe it would only trigger on this one link, but nope.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...