This repository was archived by the owner on Apr 8, 2025. It is now read-only.
This repository was archived by the owner on Apr 8, 2025. It is now read-only.
[New WTFBin]: WTFBIN Here #16
Description
- Contributor Name: Matt Anderson
- Application/Executable: c:\windows\system\svchost.exe, c:\windows\system\spoolsv.exe, c:\windows\system\explorer.exe
- WTF Behavior Description:. Named after legitimate Windows binaries, in the wrong location. They were spawned in succession from C:\Program Files (x86)\noregon\JPRO diagnostics\Fleets.exe" > "C:\Program Files (x86)\noregon\JPRO diagnostics_jpro_start.exe" > C:\Users\AppData\Local\icsys.icn.exe" > c:\windows\system\explorer.exe > c:\windows\system\spoolsv.exe > c:\windows\system\svhost.exe. The files are custom binaries compiled with Visual Basic. They appear to be changed/created regularly as the hashes seem to change often.
- Link to Documentation of Behavior:. Noregon support said they were a part of the software but had no official documentation to provide me. https://shop.noregon.com/collections/jpro-professional
- Please provide any images for additional evidence.
