Noregon Fake Windows Components
Contributed By: Matt Anderson
Named after legitimate Windows binaries, in the wrong location. They were spawned in succession from
C:\Program Files (x86)\noregon\JPRO diagnostics\Fleets.exe >
C:\Program Files (x86)\noregon\JPRO diagnostics_jpro_start.exe >
C:\Users\AppData\Local\icsys.icn.exe > c:\Windows\System\explorer.exe >
The files are custom binaries compiled with Visual Basic. They appear to be changed/created regularly as the hashes seem to change often.