Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New WTFBin]: WTFBIN Here #16

Closed
MATTANDERS0N opened this issue Mar 28, 2022 · 1 comment
Closed

[New WTFBin]: WTFBIN Here #16

MATTANDERS0N opened this issue Mar 28, 2022 · 1 comment
Labels
approved Wtfbin approved new wtfbin

Comments

@MATTANDERS0N
Copy link

  • Contributor Name: Matt Anderson
  • Application/Executable: c:\windows\system\svchost.exe, c:\windows\system\spoolsv.exe, c:\windows\system\explorer.exe
  • WTF Behavior Description:. Named after legitimate Windows binaries, in the wrong location. They were spawned in succession from C:\Program Files (x86)\noregon\JPRO diagnostics\Fleets.exe" > "C:\Program Files (x86)\noregon\JPRO diagnostics_jpro_start.exe" > C:\Users\AppData\Local\icsys.icn.exe" > c:\windows\system\explorer.exe > c:\windows\system\spoolsv.exe > c:\windows\system\svhost.exe. The files are custom binaries compiled with Visual Basic. They appear to be changed/created regularly as the hashes seem to change often.
  • Link to Documentation of Behavior:. Noregon support said they were a part of the software but had no official documentation to provide me. https://shop.noregon.com/collections/jpro-professional
  • Please provide any images for additional evidence.
    image
    image
@mttaggart mttaggart added the approved Wtfbin approved label Mar 28, 2022
@mttaggart
Copy link
Owner

Added in 3723640.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
approved Wtfbin approved new wtfbin
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mttaggart @MATTANDERS0N