• Noregon Fake Windows Components

    Contributed By: Matt Anderson

    Named after legitimate Windows binaries, in the wrong location. They were spawned in succession from C:\Program Files (x86)\noregon\JPRO diagnostics\Fleets.exe > C:\Program Files (x86)\noregon\JPRO diagnostics_jpro_start.exe > C:\Users\AppData\Local\icsys.icn.exe > c:\Windows\System\explorer.exe > C:\Windows\System\spoolsv.exe > C:\Windows\System\svchost.exe.

    The files are custom binaries compiled with Visual Basic. They appear to be changed/created regularly as the hashes seem to change often.