Re: [Vol-users] Chasing evil or my tail?

1 Mar 2014

      Looks pretty strange to me. Is that the only explorer.exe running or is there another one?
Even if its parent is or isn't present, it shouldn't be a grandchild of
services.exe--that is also odd. Based on the way pstree works, there's a small change
userinit.exe could have been pid 5332 and then the pids cycled around until msdtc.exe
eventually got pid 5332 also. That would produce an effect like you're seeing, but the
chance of userinit.exe getting pid 5332 when it starts so early in the boot sequence is
rather low. 

--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com 
Training: http://memoryanalysis.net

On Feb 28, 2014, at 9:33 AM, shorejsi2(a)mmm.com wrote:

...
  Working on a system that has been beaconing out to bad
places and noticed this in the 'pstree' output (abbreviated): 

 Name                                                  Pid   PPid 
 -------------------------------------------------- ------ ------ 
  0x894ca030:csrss.exe                                 580    484 ... 
  0x8f25b5b0:wininit.exe                               632    484 ... 
 . 0x8f379d40:services.exe                             692    632 ... 
 .. 0xb12484c0:FireSvc.exe                            2064    692 ... 
 .. 0xaecc6d40:svchost.exe                            3332    692 ... 
         ... 
 .. 0xb3eeb030:svchost.exe                            3780    692 ... 
 .. 0x85e518e8:msdtc.exe                              5332    692 ... 
 ... 0x82651d40:explorer.exe                          5400   5332 ... 
 .... 0x85dcc3b0:pmcs.exe                             1608   5400 ... 
 .... 0x85dc9240:EpePcMonitor.e                       6108   5400 ... 
 .... 0x85c92030:BTTray.exe                           4744   5400 ... 
 .... 0x8652c928:iexplore.exe                         7028   5400 ... 
 ..... 0x86721030:iexplore.exe                        7364   7028 ... 
 ...... 0x866f2030:jp2launcher.ex                     5356   7364 ... 
 ....... 0x8678c408:java.exe                          7700   5356 ... 
         ... 
 Is it just me or is msdtc.exe a very odd parent for explorer.exe?  I would normally
expect userinit.exe to start explorer and then exit, leaving it with no visible parent. 

 Any input appreciated... 

                         -=[ Steve ]=- 
 _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [Vol-users] Chasing evil or my tail?