Brian Baskin

binxray binparse binocular +1

Is this a case where procmon64 is being overwritten by malware? Sorry. I searched but couldn't find old context.

OK, if this continues provide -d debug logs. The procmon is unusual and could be a case of procmon on 64-bit dropping a secondary 64-bit executable and Noriben having trouble...

Thanks for this! Unfortunately it's a bit lower on my queue, but it's something I'm looking forward to reviewing.

I've been playing with this issue for awhile, and apologies for the lengthy delay. It's an issue of the backing file being encrypted, but Procmon does have the ability to...

I've tried it as an executable. This is working for me normally, but can you try it against your specific malware to test? The EXE is hosted: https://github.com/Rurik/Noriben/blob/exe_test/Noriben.exe?raw=true

This exe is the actual noriben.py just compiled to .exe. AV may be hitting on that aspect, but I'll have to do more testing to prevent that if I start...

Can you provide hash of malware? Here or private ([email protected])?

I'm sorry this is happening. Can you run it with the --debug option to verify there's content there. It's important to see where the break happens. If there's data in...

Please check that the .PML and the .CSV both exist and have data. There: Noriben_23_Mar_20__12_57_094085.pml and Noriben_23_Mar_20__12_57_094085.csv. If the CSV is zero bytes there could be an error in Procmon...