[Vol-users] Process hollowing

Hello all, I'm analyzing a malware sample that is doing process hollowing. While doing dynamic analysis, with Process Explorer open, I can see the legitimate EXE (that appears to get hollowed) get started by the malware, and is then orphaned as the malware terminates itself. A few seconds later I see network communication starting. The malfind plugin identifies the process as malware but when I try to dump process from memory, the strings on the dumped process look the same as the strings of the legitimate file in the System32 folder. Using the yarascan plugin (following the example on the wiki) I'm able to locate some strings (domain name, IP address, file requested by GET) that are associated with the PID of the suspected hollowed process. Oh, and the malware is packed so I assume the unpacked code is being placed into the address space of the legitimate file in memory. The capture is a .vmem from a VM snapshot. Any thoughts on how I can locate the unpacked code in memory? Shouldn't dumping the PID with procexedump contain the unpacked code? I've dumped the process by PID and physical offset (from psscan). Thanks, Carlos