10:33 a.m.
Working on a system that has been beaconing out to bad places and noticed
this in the 'pstree' output (abbreviated):
Name Pid PPid
-------------------------------------------------- ------ ------
0x894ca030:csrss.exe 580 484 ...
0x8f25b5b0:wininit.exe 632 484 ...
. 0x8f379d40:services.exe 692 632 ...
.. 0xb12484c0:FireSvc.exe 2064 692 ...
.. 0xaecc6d40:svchost.exe 3332 692 ...
...
.. 0xb3eeb030:svchost.exe 3780 692 ...
.. 0x85e518e8:msdtc.exe 5332 692 ...
... 0x82651d40:explorer.exe 5400 5332 ...
.... 0x85dcc3b0:pmcs.exe 1608 5400 ...
.... 0x85dc9240:EpePcMonitor.e 6108 5400 ...
.... 0x85c92030:BTTray.exe 4744 5400 ...
.... 0x8652c928:iexplore.exe 7028 5400 ...
..... 0x86721030:iexplore.exe 7364 7028 ...
...... 0x866f2030:jp2launcher.ex 5356 7364 ...
....... 0x8678c408:java.exe 7700 5356 ...
...
Is it just me or is msdtc.exe a very odd parent for explorer.exe? I would
normally expect userinit.exe to start explorer and then exit, leaving it
with no visible parent.
Any input appreciated...
-=[ Steve ]=-
10:49 a.m.
Looks pretty strange to me. Is that the only explorer.exe running or is there another one?
Even if its parent is or isn't present, it shouldn't be a grandchild of
services.exe--that is also odd. Based on the way pstree works, there's a small change
userinit.exe could have been pid 5332 and then the pids cycled around until msdtc.exe
eventually got pid 5332 also. That would produce an effect like you're seeing, but the
chance of userinit.exe getting pid 5332 when it starts so early in the boot sequence is
rather low.
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
Training: http://memoryanalysis.net
On Feb 28, 2014, at 9:33 AM, shorejsi2(a)mmm.com wrote:
Working on a system that has been beaconing out to bad
places and noticed this in the 'pstree' output (abbreviated):
Name Pid PPid
-------------------------------------------------- ------ ------
0x894ca030:csrss.exe 580 484 ...
0x8f25b5b0:wininit.exe 632 484 ...
. 0x8f379d40:services.exe 692 632 ...
.. 0xb12484c0:FireSvc.exe 2064 692 ...
.. 0xaecc6d40:svchost.exe 3332 692 ...
...
.. 0xb3eeb030:svchost.exe 3780 692 ...
.. 0x85e518e8:msdtc.exe 5332 692 ...
... 0x82651d40:explorer.exe 5400 5332 ...
.... 0x85dcc3b0:pmcs.exe 1608 5400 ...
.... 0x85dc9240:EpePcMonitor.e 6108 5400 ...
.... 0x85c92030:BTTray.exe 4744 5400 ...
.... 0x8652c928:iexplore.exe 7028 5400 ...
..... 0x86721030:iexplore.exe 7364 7028 ...
...... 0x866f2030:jp2launcher.ex 5356 7364 ...
....... 0x8678c408:java.exe 7700 5356 ...
...
Is it just me or is msdtc.exe a very odd parent for explorer.exe? I would normally
expect userinit.exe to start explorer and then exit, leaving it with no visible parent.
Any input appreciated...
-=[ Steve ]=-
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
12:22 p.m.
Michael;
Thanks for the sanity check. That's the only instance of explorer
running; I hadn't quite thought through to the part about it being a
grandchild of services.exe; more strangeness.
I've run timeliner and I suspect a careful walk through that data is my
next action.
Thank You!
-=[ Steve ]=-
From: Michael Ligh <michael.ligh(a)mnin.org>
To: shorejsi2(a)mmm.com
Cc: vol-users(a)volatilityfoundation.org
Date: 03/01/2014 09:49 AM
Subject: Re: [Vol-users] Chasing evil or my tail?
Looks pretty strange to me. Is that the only explorer.exe running or is
there another one? Even if its parent is or isn't present, it shouldn't be
a grandchild of services.exe--that is also odd. Based on the way pstree
works, there's a small change userinit.exe could have been pid 5332 and
then the pids cycled around until msdtc.exe eventually got pid 5332 also.
That would produce an effect like you're seeing, but the chance of
userinit.exe getting pid 5332 when it starts so early in the boot sequence
is rather low.
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
Training: http://memoryanalysis.net
On Feb 28, 2014, at 9:33 AM, shorejsi2(a)mmm.com wrote:
Working on a system that has been beaconing out to bad
places and
noticed this in the 'pstree' output (abbreviated):
Name Pid PPid
-------------------------------------------------- ------ ------
0x894ca030:csrss.exe 580 484 ...
0x8f25b5b0:wininit.exe 632 484 ...
. 0x8f379d40:services.exe 692 632 ...
.. 0xb12484c0:FireSvc.exe 2064 692 ...
.. 0xaecc6d40:svchost.exe 3332 692 ...
...
.. 0xb3eeb030:svchost.exe 3780 692 ...
.. 0x85e518e8:msdtc.exe 5332 692 ...
... 0x82651d40:explorer.exe 5400 5332 ...
.... 0x85dcc3b0:pmcs.exe 1608 5400 ...
.... 0x85dc9240:EpePcMonitor.e 6108 5400 ...
.... 0x85c92030:BTTray.exe 4744 5400 ...
.... 0x8652c928:iexplore.exe 7028 5400 ...
..... 0x86721030:iexplore.exe 7364 7028 ...
...... 0x866f2030:jp2launcher.ex 5356 7364 ...
....... 0x8678c408:java.exe 7700 5356 ...
...
Is it just me or is msdtc.exe a very odd parent for explorer.exe? I
would
normally expect userinit.exe to start explorer and then exit,
leaving it with no visible parent.
Any input appreciated...
-=[ Steve ]=-
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
[attachment "signature.asc" deleted by Steve Horejsi/US-Corp02/3M/US]
8:01 a.m.
Michael;
Your initial reaction was correct; it's a phantom. a look at the output
from timeliner shows that msdtc.exe started well after explorer.exe. The
matching PID was just a weird accident:
...
2014-02-17 11:38:17 UTC+0000 [PROCESS] dwm.exe 5360 1080
2014-02-17 11:38:18 UTC+0000 [PROCESS] explorer.exe 5400 5332
2014-02-17 11:38:20 UTC+0000 [PROCESS] iPlatformHost. 5552 2360
...
2014-02-17 11:39:06 UTC+0000 [PROCESS] dllhost.exe 4992 692
2014-02-17 11:39:08 UTC+0000 [PROCESS] msdtc.exe 5332 692
2014-02-17 11:39:13 UTC+0000 [PROCESS] BTHSAmpPalServ 6276 692
2014-02-17 11:39:17 UTC+0000 [PROCESS] BTHSSecurityMg 6488 692
So the moral becomes (as it always is...) beware shiny objects...
Thank You!
-=[ Steve ]=-
From: Michael Ligh <michael.ligh(a)mnin.org>
To: shorejsi2(a)mmm.com
Cc: vol-users(a)volatilityfoundation.org
Date: 03/01/2014 09:49 AM
Subject: Re: [Vol-users] Chasing evil or my tail?
Looks pretty strange to me. Is that the only explorer.exe running or is
there another one? Even if its parent is or isn't present, it shouldn't be
a grandchild of services.exe--that is also odd. Based on the way pstree
works, there's a small change userinit.exe could have been pid 5332 and
then the pids cycled around until msdtc.exe eventually got pid 5332 also.
That would produce an effect like you're seeing, but the chance of
userinit.exe getting pid 5332 when it starts so early in the boot sequence
is rather low.
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
Training: http://memoryanalysis.net
On Feb 28, 2014, at 9:33 AM, shorejsi2(a)mmm.com wrote:
Working on a system that has been beaconing out to bad
places and
noticed this in the 'pstree' output (abbreviated):
Name Pid PPid
-------------------------------------------------- ------ ------
0x894ca030:csrss.exe 580 484 ...
0x8f25b5b0:wininit.exe 632 484 ...
. 0x8f379d40:services.exe 692 632 ...
.. 0xb12484c0:FireSvc.exe 2064 692 ...
.. 0xaecc6d40:svchost.exe 3332 692 ...
...
.. 0xb3eeb030:svchost.exe 3780 692 ...
.. 0x85e518e8:msdtc.exe 5332 692 ...
... 0x82651d40:explorer.exe 5400 5332 ...
.... 0x85dcc3b0:pmcs.exe 1608 5400 ...
.... 0x85dc9240:EpePcMonitor.e 6108 5400 ...
.... 0x85c92030:BTTray.exe 4744 5400 ...
.... 0x8652c928:iexplore.exe 7028 5400 ...
..... 0x86721030:iexplore.exe 7364 7028 ...
...... 0x866f2030:jp2launcher.ex 5356 7364 ...
....... 0x8678c408:java.exe 7700 5356 ...
...
Is it just me or is msdtc.exe a very odd parent for explorer.exe? I
would
normally expect userinit.exe to start explorer and then exit,
leaving it with no visible parent.
Any input appreciated...
-=[ Steve ]=-
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
[attachment "signature.asc" deleted by Steve Horejsi/US-Corp02/3M/US]
3909
days inactive
3912
days old
vol-users@lists.volatilityfoundation.org
3 comments
2 participants
participants (2)
-
Michael Ligh -
shorejsi2@mmm.com