WTFBins?!

Adobe Reader for no reason starts a subprocess using the command line "I run".

WMIExec-ish NDCC

Bizarre sub-processes.

Windows uses random high service ports for a variety of functions.

The Nim language installer binaries in certain versions trigger Windows Defender.

Yet another base64-loving process.

How much can an EDR look like malware?

It runs whoami because it's lost.

Guests are not invited to Everyone shares.

Base64-encoded PowerShell from Azure's own agent!

Random file extensions from iManage

Whoami? HostedAgent, of course!

SenseNDR base64 encoding

Avast scans your network on the sly.

EaseUS and bizarre Scheduled Tasks.

Everybody loves a big DNS query!

McAfee also loves big DNS queries!

Not just bad guys run whoami.

Palo Alto GP Firewall HIP check runs whoami.exe as SYSTEM.

Bizarre DNS requests on Samsung phones.

Yet another PowerShell weirdo.

EDRs 🤝 Malware

Encoded PowerShell

Ivanti does some weird stuff

A little LSASS, as a treat.

Named after legitimate Windows binaries, in the wrong location.

Not the Bloodhound you're thinking of.

How to look like malware, by RingCentral

Who doesn't love CScript?

Do you like giant DNS queries? Sophos does.

Windows Config Manager CCM.exe runs b64-encoded powershell.

Windows being sus? Inconceivable!

Cisco enumerates your system.

IBM creates WMI false positives

JetBrains queries security tools.

Nothing to see here

Who needs protection? Not LSA!

TFW the vuln scanner runs offensive tools.

IBM's pcsnp.exe just...what

Nacho dwm

A little wmic enumeration

What is it with antivirus and weird DNS?