Forum Discussion
Ransomware alert
Morning community,
I have a question and I hope I am in the right place.
We use M365 Defender as a SIEM solution and a Ransome alert came recently.
In the timeline, there were more than 10 instances of taskkill involved. As far as I am informed the tool is set up to trigger an alert on several taskkill execution events.
However, there was a PGHook.dll clipped/involved in the mix and has a direct link to the Ransomware in the timeline.
My question is: Would the PGHook.dll had assisted in creating the alert or did the M365 defender pick up only on the number of taskkill events?
Thank you in advance.
Dan
- Hi,
It is better to visit https://www.virustotal.com & submit the suspicious PGHook.dll. There you will get maximum details of the file also you will get to know if the same file is been detected by other antiviruses as well.
-AmolShelar- Thanks for the reply.
All checks were made and all looks good. However, I would like to understand if there is something else that caused the PGHook to be listed in the timeline as the main contributor to the alert? For example bad WMI image load, DLL sharing issues etc.?- Ok. Have you checked for any suspicious remote connections/Process which is hooked up with PGHook.Dll?
Hi guys!
I am extremely worried as my important data is encrypted with a ransomware, I search about the decryptor on internet and found a website. Anyone of you have experienced with it or not??
Kindly let me know. I want to purchase a decryptor from them. This is the website on this link.
