Michael;

 Thanks for the sanity check.  That's the only instance of explorer running; I hadn't quite thought through to the part about it being a grandchild of services.exe; more strangeness.

 I've run timeliner and I suspect a careful walk through that data is my next action.

Thank You!


                        -=[ Steve ]=-




From:        Michael Ligh <michael.ligh@mnin.org>
To:        shorejsi2@mmm.com
Cc:        vol-users@volatilityfoundation.org
Date:        03/01/2014 09:49 AM
Subject:        Re: [Vol-users] Chasing evil or my tail?

---

Looks pretty strange to me. Is that the only explorer.exe running or is there another one? Even if its parent is or isn't present, it shouldn't be a grandchild of services.exe--that is also odd. Based on the way pstree works, there's a small change userinit.exe could have been pid 5332 and then the pids cycled around until msdtc.exe eventually got pid 5332 also. That would produce an effect like you're seeing, but the chance of userinit.exe getting pid 5332 when it starts so early in the boot sequence is rather low.

--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
Training: http://memoryanalysis.net

On Feb 28, 2014, at 9:33 AM, shorejsi2@mmm.com wrote:

> Working on a system that has been beaconing out to bad places and noticed this in the 'pstree' output (abbreviated):
>
> Name                                                  Pid   PPid
> -------------------------------------------------- ------ ------
>  0x894ca030:csrss.exe                                 580    484 ...
>  0x8f25b5b0:wininit.exe                               632    484 ...
> . 0x8f379d40:services.exe                             692    632 ...
> .. 0xb12484c0:FireSvc.exe                            2064    692 ...
> .. 0xaecc6d40:svchost.exe                            3332    692 ...
>         ...
> .. 0xb3eeb030:svchost.exe                            3780    692 ...
> .. 0x85e518e8:msdtc.exe                              5332    692 ...
> ... 0x82651d40:explorer.exe                          5400   5332 ...
> .... 0x85dcc3b0:pmcs.exe                             1608   5400 ...
> .... 0x85dc9240:EpePcMonitor.e                       6108   5400 ...
> .... 0x85c92030:BTTray.exe                           4744   5400 ...
> .... 0x8652c928:iexplore.exe                         7028   5400 ...
> ..... 0x86721030:iexplore.exe                        7364   7028 ...
> ...... 0x866f2030:jp2launcher.ex                     5356   7364 ...
> ....... 0x8678c408:java.exe                          7700   5356 ...
>         ...
> Is it just me or is msdtc.exe a very odd parent for explorer.exe?  I would normally expect userinit.exe to start explorer and then exit, leaving it with no visible parent.
>
> Any input appreciated...
>
>
>                         -=[ Steve ]=-
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

[attachment "signature.asc" deleted by Steve Horejsi/US-Corp02/3M/US]