You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Contributor Name: Freddy Ouzan (@falsneg), John Harrison (@Cratez)
Application/Executable: Creative_Cloud_Set-Up.exe (Adobe Creative Cloud [winget/XPDLPKWG9SW2WD] Version 5.11.0.522.1)
WTF Behavior Description: Adobe Creative Cloud setup spawns and injects code to explorer.exe for deleting itself. The injected function calls WaitForSingleObject(INFINITE) on the injector's process duplicated handle, then CloseHandle it, follows to loop over DeleteFileW to retry while it fails with an inner Sleep(1000) until success, then calls ExitProcess(0).
Link to Documentation of Behavior: N/A; @Cratez noticed this weird behavior, we didn't find any other references.
Please provide any images for additional evidence.
They could've just register a one time task to rundll32.exe advpack.dll,DelNodeRunDLL32 theirfilebuttheystilldecidedtoinjectandbesonoisy
The text was updated successfully, but these errors were encountered:
They could've just register a one time task to rundll32.exe advpack.dll,DelNodeRunDLL32 theirfilebuttheystilldecidedtoinjectandbesonoisy
The text was updated successfully, but these errors were encountered: