My take -
Rob at Errata Sec did a concise job of showing how to use sysmon to track down a weird pop-up. This one came from MS Office update. He uses the @SwiftonSecurity sysmon-config that I posted about recently.
From the article:
“How to track that annoying pop-up
In a recent update to their Office suite on Windows, Microsoft made a mistake where every hour, for a fraction of a second, a black window pops up on the screen. This leads many to fear their system has been infected by a virus. I thought I’d document how to track this down.“”