PML file being encrypted by malware #42
Comments
|
I've been playing with this issue for awhile, and apologies for the lengthy delay. It's an issue of the backing file being encrypted, but Procmon does have the ability to use virtual memory for the live data. Do you have a sample that you can test against, or provide hash for so I can test? In Procmon if you enable File > Backing File... > Virtual Memory, that may be able to get around this issue. However, I can not guess the performance issues, or ultimate memory usage, of that. Then one small edit to the script, within "launch_procmon_capture()" to force this: Change: To: |
|
Thanks for the response, I can certainly get a relatively new sample for
analysis and testing. Let me know when you'd like to start, we can do
remote sessions with Anyconnect.
Robert
…On Mon, Jan 18, 2021, 11:31 AM Brian Baskin ***@***.***> wrote:
I've been playing with this issue for awhile, and apologies for the
lengthy delay. It's an issue of the backing file being encrypted, but
Procmon does have the ability to use virtual memory for the live data. Do
you have a sample that you can test against, or provide hash for so I can
test?
In Procmon if you enable File > Backing File... > Virtual Memory, that may
be able to get around this issue. However, I can not guess the performance
issues, or ultimate memory usage, of that.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#42 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA7UFORSNGKKHGYNBA7NTNTS2RO5RANCNFSM4VCQBDJA>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm still encountering these issue daily with ransomware. What are you thoughts about adding an option to just eliminate the extension of the output file altogether? Many of the samples that I've encountered don't encrypt files that don't have extensions.
The text was updated successfully, but these errors were encountered: