Noregon Fake Windows Components

2023-09-13 by Matt Anderson

Named after legitimate Windows binaries, in the wrong location.

They were spawned in succession from C:\Program Files (x86)\noregon\JPRO diagnostics\Fleets.exe > C:\Program Files (x86)\noregon\JPRO diagnostics_jpro_start.exe > C:\Users\AppData\Local\icsys.icn.exe > c:\Windows\System\explorer.exe > C:\Windows\System\spoolsv.exe > C:\Windows\System\svchost.exe.

The files are custom binaries compiled with Visual Basic. They appear to be changed/created regularly as the hashes seem to change often.

Documentation