Forum Discussion
Ransomware alert
Morning community, I have a question and I hope I am in the right place. We use M365 Defender as a SIEM solution and a Ransome alert came recently. In the timeline, there were more than 10 i...
Hi,
It is better to visit https://www.virustotal.com & submit the suspicious PGHook.dll. There you will get maximum details of the file also you will get to know if the same file is been detected by other antiviruses as well.
-AmolShelar
It is better to visit https://www.virustotal.com & submit the suspicious PGHook.dll. There you will get maximum details of the file also you will get to know if the same file is been detected by other antiviruses as well.
-AmolShelar
Thanks for the reply.
All checks were made and all looks good. However, I would like to understand if there is something else that caused the PGHook to be listed in the timeline as the main contributor to the alert? For example bad WMI image load, DLL sharing issues etc.?
All checks were made and all looks good. However, I would like to understand if there is something else that caused the PGHook to be listed in the timeline as the main contributor to the alert? For example bad WMI image load, DLL sharing issues etc.?
- Ok. Have you checked for any suspicious remote connections/Process which is hooked up with PGHook.Dll?
AmolShelar, unfortunately, I do not have granular visibility on the endpoint' active processes and cannot inspect if there are any suspicious remote connections attempts. Can you please, based on your experience suggest a questionnaire for the technical Team to address potential adversaries on the endpoint? Your help is much appreciated!
