[Vol-users] Additional assist with hidden PID's

Hey all, Here's what I have: Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- 0x26004da0 UPS_Label_23052 396 False True False False False False False 0x260f7da0 UPS_Label_23052 396 False True False False False False False Offset(P) Name PID PPID PDB Time created Time exited ---------- ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x27808020 explorer.exe 1480 1412 0x0a440200 2013-05-23 17:44:24 UTC+0000 0x26004da0 UPS_Label_23052 396 1480 0x0a4403c0 2013-05-23 17:46:09 UTC+0000 0x260f7da0 UPS_Label_23052 396 1480 0x0a4403c0 2013-05-23 17:46:09 UTC+0000 I'm attempting to find and extract the running UPS_Label_23052, but having difficulty extracting the exe from it. Procmemdump and procexedump fail to find the pid, so I'm kind of lost. Any info would help...thank you. James