[New WTFBin]: logmein.com

[joaociocca]

• Contributor Name: Johnny Ciocca
• Application/Executable: logmein.com
• WTF Behavior Description: logmein.com triggers a cmd.exe execution of powershell.exe v1.0 with Bypass Execution Policy, which uses WebClient/OpenRead().CanRead to microsoft.com and google.com
  • "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ExecutionPolicy Bypass -Command "((New-Object System.Net.WebClient).OpenRead('https://www.microsoft.com')).CanRead"
• Link to Documentation of Behavior: Unable to find any documentation of this behavior
• Please provide any images for additional evidence.

[mttaggart]

Hmm, I don't know why it would do this, but I don't feel like a program kicking off PowerShell is, by itself, enough to merit a WTFBin. If it were a bizarre domain or base64 encoded, maybe. Even -ep bypass is common enough.

I'm going to pass on this one for now, but I really appreciate the submission! Keep WTFBins in mind in the future!