...
In order to sort through the many process injections that happen on a system at any given time, we can refer to both the time of the incident, and the pid of the flagged process. Normally we will start with a few pids of suspicious responses, and go up the chain of injections and creation to gain the full story.
We already know that no one should be injecting into Svchost in this way, but definitely not this process! From here on we can treat this process as if it’s “malware.exe” and see who ran it, since someone must have.
...
Since there were two process creations with pid 9168, and they are very different, we can narrow it down based on the timestamp and/or the child path, and see that it was created by an explorer.exe. This means someone manually ran the injector process, and it can’t be some coincidence of Svchost behavior that was incorrectly flagged.
Relevant documentation
Link to our process injection pageProcess Injection [Stub Index / Parent Page]
...