I'm digging through a memory image of a pretty thoroughly compromised system using Volatility and I've run across something new (to me anyway...).

 There's a rogue process in the image that lists a PID which exceeds the width allocated by Volatility:

0xdba0f9a8 cmd.exe                5004 True   True   False    True   False True    False
0xda247250 chrome.exe             4764 True   True   False    True   False True    False
0x6da39918 ☼                    42...2 False  False  False    False  False False   True
0xdcd97610 SearchFilterHo         6956 False  True   False    False  False False   False
0xdace4568 PrintIsolation         6312 False  True   False    False  False False   False

 I'd dearly love to get my hands on that executable, but I don't see an easy way to get the PID.

 Any easy way forward on this?



                        -=[ Steve ]=-