tag:blogger.com,1999:blog-7693961727488638788.post1899363676414259888..comments2024-03-24T09:17:33.072-04:00Comments on [Archive of Volatility Labs]: PlugX: Memory Forensics Lifecycle with VolatilityJamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-7693961727488638788.post-51792080498396246322015-11-09T14:38:15.517-05:002015-11-09T14:38:15.517-05:00It persisted in the registry as a service (even vi...It persisted in the registry as a service (even visible via regedit on a live machine). It just hid the service entry from APIs and tools like services.msc, wmi, powershell, etc because those don't query the registry directly, they consult the list in memory. And although you can clearly see RasTls in the registry of a live machine, you wouldn't know it was hidden unless you compared it Michael Hale Lighhttps://www.blogger.com/profile/17377327006242921434noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-21511858640842226102015-11-09T06:56:09.453-05:002015-11-09T06:56:09.453-05:00What were the host-based indicators for this malwa...What were the host-based indicators for this malware? It must have remained persistent on the system somehow...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com