marc ochsenmeier

Not recent, but still valid. A presentation of #pestudio I did at Black Hat London. #infosec winitor.com/pdf/Blackhat-L…

Next #pestudio with following changes: - Extend views - Increase responsiveness - Fix major memory issue #malware #infosec

Update of #pestudio soon, with better responsiveness, bug fixes and more #malware #ransomware #infosec

Fake 7-Zip Trojan #Malware #InfoSec

@whyntok2629 #pestudio vs pestudio-pro #malware #infosecurity winitor.com/tools/pestudio…

@ochsenmeier I aslo using PeStudio, but the free-version. How about your opinion about the difference with the Pro-version?

The Chrysalis Backdoor with a dll exporting duplicated (dummy) functions, typical for DLL sideloading #malware #infosec

The Windows Task Scheduler #dfir #infosec #malware

Let me blow your mind real quick: When you use Remote Desktop (RDP), Windows secretly takes screenshots of what you are doing. It’s called the RDP Bitmap Cache. To make the connection faster, Windows saves small tiles (images) of the remote screen to your hard drive in a bin file. Even if the session is over and the remote server is destroyed... your laptop still holds the cache files. Forensics teams use tools like BMCViewer to stitch those tiles back together. They won't just see logs but the literal email, document, or picture you were looking at. 💀

How Windows DLL works #dfir #infosec #malware winitor.com/pdf/DynamicLin…

Two different ways to sign an Executable file #dfir #malware blog.didierstevens.com/2008/01/11/the…

@LetsDefendIO Happy to see my work, #pestudio is on the list. Thx! #Malware #infosec

Malware Analysis Tools

Oh, I just noticed that opening the browser from Explorer works! #infosec

How Executable files work #infosec #dfir #malware winitor.com/pdf/Windows-Po…

fourcore.io/blogs/how-a-wi… by @fourcorelabs

@SquiblydooBlog @struppigel @virustotal not yet...it's on the todo list.

@ochsenmeier @struppigel @virustotal Does it ever show a "revoked" status? I checked a few samples, and they only show expired. I'm a little biased, but if it could show the "revoked" status, it'd be pretty swell. :)

For anyone who wants to understand certificates better and how to spot abuse, this is a great read (by @SquiblydooBlog ) certcentral.org/training

A deep dive into the Windows Alternate Data Streams (ADS) #infosec #dfir winitor.com/pdf/NtfsAltern…

...and notepad to extract the ADS! :-)

Use "7z l -sns" to list any Alternate Data Streams (ADS) contained in a RAR file #Malware CVE-2025-6218 CVE-2025-8088

@diversenok_zero A pdb inspector I wrote a few years ago #comments-section" target="_blank" rel="nofollow noopener">codeproject.com/articles/How-T…

I wanted to understand what information is available in .pdb files, so I made a tool for it 🔎🪲 Welcome DiaSymbolView - a debug symbol hierarchy and properties viewer based on MSDIA: github.com/diversenok/Dia…