[New WTFBin]: AdobeUpdateService

[joshnck]

• Contributor Name:@ImLordOfTheRing
• Application/Executable:Adobe Update service spawning process RuntimeCustomHook.exe
• **WTF Behavior Description: During the update process it appears that Adobe accesses and modifies windows\sytem32\restore\MachineGuid.txt which may trigger detections monitoring for Volume Shadow Copy alteration. I believe that this is part of the registration process where Adobe is checking in to make sure you're authorized to use the product. The trigger follows this path: Adobe Installer.exe -> Setup.exe -> RuntimeCustomHook.exe -> VCRedist_X86.exe (command line: "C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\Runtime\customhook\vc13\32bit\vcredist_x86.exe" /q /norestart -burn.unelevated BurnPipe.<UUID> <UUID> <PID>" **
• Link to Documentation of Behavior: None that I can find
• Please provide any images for additional evidence.

[59e5aaf4]

If that is a crowdstrike alert (no idea how I though of this ahem ahem ahem cough cough) then it's not related to this specific path, there's a DCOM operation in the raw eam2 telemetry (splunk events) with a GUID pointing to one specific operation which touches the VSS services. they (CS) generate a bunch of FP these days with that. their web UI is really confusing and does not show anywhere this critical piece of information, you have to dig down int the splunk telemetry data. also, we're hiring.