security issue
Dear Adobe Security Team,
We are reaching out regarding multiple alerts observed in our environment tied to the execution of node.exe within the Adobe Creative Cloud Experience directory. Also, the hash is successfully blocked by Trend Micro based on hash reputation.
Key details from our investigation:
File path: C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe
File hash: d14ba95cdce1ef7dc9ad3ac74949ca5db38b27378ee30f30a23cf26f9e875a11
File signature: Signed by Node.js Foundation, consistent with Adobe’s legitimate bundling of Node.js Parent process: ccxprocess.exe (Adobe Creative Cloud component)
Child processes: cmd.exe creating a scheduled task to launch CCXProcess daily, and cmd.exe querying registry keys under HKLM\SOFTWARE\Policies\Adobe\CCXProcess
Given the initial association of this hash with the Photo ZIP campaign, we would like Adobe’s confirmation on whether this behavior is expected and benign, or if further investigation is warranted.
Please advise on next steps and whether any remediation or updates are recommended.
Thank you,
Shilnas Yoonus
