12:04 p.m.
Background: The user logged off (I know, I know) of the system (WinXP) and
the first responder logged back in under a different user and took the
memory dump.
When running pslist against the memory dump there're 2,423 entries. I'm
seeing a lot of entries where the process starts and exits - sometimes in a
row:
0x89b3f868 userinit.exe 3808 548 0 -------- 0 0
2013-05-26 10:00:10 UTC+0000 2013-05-26 10:00:10 UTC+0000
0x89b89ad0 userinit.exe 3156 548 0 -------- 0 0
2013-05-26 10:00:28 UTC+0000 2013-05-26 10:00:28 UTC+0000
0x89b2a868 userinit.exe 3672 548 0 -------- 0 0
2013-05-26 11:30:11 UTC+0000 2013-05-26 11:30:11 UTC+0000
0x89afc020 userinit.exe 3388 548 0 -------- 0 0
2013-05-26 12:41:44 UTC+0000 2013-05-26 12:41:44 UTC+0000
0x89b49da0 userinit.exe 1336 548 0 -------- 0 0
2013-05-26 13:22:13 UTC+0000 2013-05-26 13:22:13 UTC+0000
and sometimes more spread out:
0x89c1da98 java.exe 4536 1368 0 -------- 0 0
2013-06-01 01:23:35 UTC+0000 2013-06-01 01:26:15 UTC+0000
0x89141020 cscript.exe 8608 4536 0 -------- 0 0
2013-06-01 01:24:12 UTC+0000 2013-06-01 01:24:14 UTC+0000
0x89142da0 wmiprvse.exe 3152 832 0 -------- 0 0
2013-06-01 01:24:12 UTC+0000 2013-06-01 01:25:42 UTC+0000
0x89144ac0 minituner.exe 1120 1368 0 -------- 0 0
2013-06-01 01:26:15 UTC+0000 2013-06-01 01:37:41 UTC+0000
0x8934d520 java.exe 9148 1368 0 -------- 0 0
2013-06-01 01:37:41 UTC+0000 2013-06-01 01:43:54 UTC+0000
0x8934e020 cscript.exe 7620 9148 0 -------- 0 0
2013-06-01 01:42:51 UTC+0000 2013-06-01 01:42:53 UTC+0000
0x895423b8 wmiprvse.exe 3664 832 0 -------- 0 0
2013-06-01 01:42:51 UTC+0000 2013-06-01 01:44:21 UTC+0000
0x895ce8a0 minituner.exe 9940 1368 0 -------- 0 0
2013-06-01 01:43:54 UTC+0000 2013-06-01 01:51:47 UTC+0000
0x893a3838 java.exe 4572 1368 0 -------- 0 0
2013-06-01 01:51:47 UTC+0000 2013-06-01 01:59:58 UTC+0000
Example of top processes by overall count of occurrence:
$ cat pslist.txt | awk '{print $2}' | sort | uniq -c | sort -nr
364 java.exe
362 minituner.exe
335 userinit.exe
301 wmiprvse.exe
219 cscript.exe
192 verclsid.exe
91 wuauclt.exe
37 regsvr32.exe
34 winlogon.exe
34 csrss.exe
[snip]
I've never come across this before so I'm wondering if this could be
attributed to the first responder not letting the system fully log them on
prior to taking the memory dump and therefore there was a lot of still
loading processes observed?
--
Glenn Edwards
@hiddenillusion
12:51 p.m.
I've had bad memory captures look a bit like this...Can you share what tool
was used to collect the memory image?
Cheers,
Jesse
On Fri, Jun 7, 2013 at 12:04 PM, Glenn Edwards <hiddenillusion(a)gmail.com>wrote:
Background: The user logged off (I know, I know) of
the system (WinXP) and
the first responder logged back in under a different user and took the
memory dump.
When running pslist against the memory dump there're 2,423 entries. I'm
seeing a lot of entries where the process starts and exits - sometimes in a
row:
0x89b3f868 userinit.exe 3808 548 0 -------- 0
0 2013-05-26 10:00:10 UTC+0000 2013-05-26 10:00:10 UTC+0000
0x89b89ad0 userinit.exe 3156 548 0 -------- 0
0 2013-05-26 10:00:28 UTC+0000 2013-05-26 10:00:28 UTC+0000
0x89b2a868 userinit.exe 3672 548 0 -------- 0
0 2013-05-26 11:30:11 UTC+0000 2013-05-26 11:30:11 UTC+0000
0x89afc020 userinit.exe 3388 548 0 -------- 0
0 2013-05-26 12:41:44 UTC+0000 2013-05-26 12:41:44 UTC+0000
0x89b49da0 userinit.exe 1336 548 0 -------- 0
0 2013-05-26 13:22:13 UTC+0000 2013-05-26 13:22:13 UTC+0000
and sometimes more spread out:
0x89c1da98 java.exe 4536 1368 0 -------- 0
0 2013-06-01 01:23:35 UTC+0000 2013-06-01 01:26:15 UTC+0000
0x89141020 cscript.exe 8608 4536 0 -------- 0
0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:24:14 UTC+0000
0x89142da0 wmiprvse.exe 3152 832 0 -------- 0
0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:25:42 UTC+0000
0x89144ac0 minituner.exe 1120 1368 0 -------- 0
0 2013-06-01 01:26:15 UTC+0000 2013-06-01 01:37:41 UTC+0000
0x8934d520 java.exe 9148 1368 0 -------- 0
0 2013-06-01 01:37:41 UTC+0000 2013-06-01 01:43:54 UTC+0000
0x8934e020 cscript.exe 7620 9148 0 -------- 0
0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:42:53 UTC+0000
0x895423b8 wmiprvse.exe 3664 832 0 -------- 0
0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:44:21 UTC+0000
0x895ce8a0 minituner.exe 9940 1368 0 -------- 0
0 2013-06-01 01:43:54 UTC+0000 2013-06-01 01:51:47 UTC+0000
0x893a3838 java.exe 4572 1368 0 -------- 0
0 2013-06-01 01:51:47 UTC+0000 2013-06-01 01:59:58 UTC+0000
Example of top processes by overall count of occurrence:
$ cat pslist.txt | awk '{print $2}' | sort | uniq -c | sort -nr
364 java.exe
362 minituner.exe
335 userinit.exe
301 wmiprvse.exe
219 cscript.exe
192 verclsid.exe
91 wuauclt.exe
37 regsvr32.exe
34 winlogon.exe
34 csrss.exe
[snip]
I've never come across this before so I'm wondering if this could be
attributed to the first responder not letting the system fully log them on
prior to taking the memory dump and therefore there was a lot of still
loading processes observed?
--
Glenn Edwards
@hiddenillusion
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Jesse Bowling
12:58 p.m.
The tool the IH used in this instance was Cyber Marshal's wmr (
http://cybermarshal.com/index.php/cyber-marshal-utilities/windows-memory-re…
).
I've looked at dumps created by this tool in the past and this type of
output/behavior wasn't observed.
On Fri, Jun 7, 2013 at 12:51 PM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
I've had bad memory captures look a bit like
this...Can you share what
tool was used to collect the memory image?
Cheers,
Jesse
On Fri, Jun 7, 2013 at 12:04 PM, Glenn Edwards <hiddenillusion(a)gmail.com>wrote:
--
Glenn Edwards
@hiddenillusion
Background: The user logged off (I know, I know)
of the system (WinXP)
and the first responder logged back in under a different user and took the
memory dump.
When running pslist against the memory dump there're 2,423 entries. I'm
seeing a lot of entries where the process starts and exits - sometimes in a
row:
0x89b3f868 userinit.exe 3808 548 0 -------- 0
0 2013-05-26 10:00:10 UTC+0000 2013-05-26 10:00:10 UTC+0000
0x89b89ad0 userinit.exe 3156 548 0 -------- 0
0 2013-05-26 10:00:28 UTC+0000 2013-05-26 10:00:28 UTC+0000
0x89b2a868 userinit.exe 3672 548 0 -------- 0
0 2013-05-26 11:30:11 UTC+0000 2013-05-26 11:30:11 UTC+0000
0x89afc020 userinit.exe 3388 548 0 -------- 0
0 2013-05-26 12:41:44 UTC+0000 2013-05-26 12:41:44 UTC+0000
0x89b49da0 userinit.exe 1336 548 0 -------- 0
0 2013-05-26 13:22:13 UTC+0000 2013-05-26 13:22:13 UTC+0000
and sometimes more spread out:
0x89c1da98 java.exe 4536 1368 0 -------- 0
0 2013-06-01 01:23:35 UTC+0000 2013-06-01 01:26:15 UTC+0000
0x89141020 cscript.exe 8608 4536 0 -------- 0
0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:24:14 UTC+0000
0x89142da0 wmiprvse.exe 3152 832 0 -------- 0
0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:25:42 UTC+0000
0x89144ac0 minituner.exe 1120 1368 0 -------- 0
0 2013-06-01 01:26:15 UTC+0000 2013-06-01 01:37:41 UTC+0000
0x8934d520 java.exe 9148 1368 0 -------- 0
0 2013-06-01 01:37:41 UTC+0000 2013-06-01 01:43:54 UTC+0000
0x8934e020 cscript.exe 7620 9148 0 -------- 0
0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:42:53 UTC+0000
0x895423b8 wmiprvse.exe 3664 832 0 -------- 0
0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:44:21 UTC+0000
0x895ce8a0 minituner.exe 9940 1368 0 -------- 0
0 2013-06-01 01:43:54 UTC+0000 2013-06-01 01:51:47 UTC+0000
0x893a3838 java.exe 4572 1368 0 -------- 0
0 2013-06-01 01:51:47 UTC+0000 2013-06-01 01:59:58 UTC+0000
Example of top processes by overall count of occurrence:
$ cat pslist.txt | awk '{print $2}' | sort | uniq -c | sort -nr
364 java.exe
362 minituner.exe
335 userinit.exe
301 wmiprvse.exe
219 cscript.exe
192 verclsid.exe
91 wuauclt.exe
37 regsvr32.exe
34 winlogon.exe
34 csrss.exe
[snip]
I've never come across this before so I'm wondering if this could be
attributed to the first responder not letting the system fully log them on
prior to taking the memory dump and therefore there was a lot of still
loading processes observed?
--
Glenn Edwards
@hiddenillusion
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Jesse Bowling
2:03 p.m.
Do you when approximately the first responder did his work? It looks like
you've got some userinit.exe that started/stopped on 2013-05-26 and then
another batch on 2013-06-01. If the first responder got there on 2013-06-01,
then you know the weirdness wasn't anything caused by his actions since the
issue existed at least as early as 2013-05-26.
You scan the handles of running processes to see if any of them have open
handles to the terminated processes (see [1]). That may help explain why
they stuck around in the process list, but not why so many of the same
processes started in the first place.
IMO its not a bad capture and its probably not malicious. You might look in
the event logs (in particular the application one) to see if there are any
indications of the processes crashing and restarting.
MHL
[1]. http://mnin.blogspot.com/2011/03/mis-leading-active-in.html
On Fri, Jun 7, 2013 at 12:58 PM, Glenn Edwards <hiddenillusion(a)gmail.com>wrote:
The tool the IH used in this instance was Cyber
Marshal's wmr (
http://cybermarshal.com/index.php/cyber-marshal-utilities/windows-memory-re…
).
I've looked at dumps created by this tool in the past and this type of
output/behavior wasn't observed.
On Fri, Jun 7, 2013 at 12:51 PM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
I've had bad memory captures look a bit like
this...Can you share what
tool was used to collect the memory image?
Cheers,
Jesse
On Fri, Jun 7, 2013 at 12:04 PM, Glenn Edwards <hiddenillusion(a)gmail.com>wrote:
--
Glenn Edwards
@hiddenillusion
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Background: The user logged off (I know, I know)
of the system (WinXP)
and the first responder logged back in under a different user and took the
memory dump.
When running pslist against the memory dump there're 2,423 entries. I'm
seeing a lot of entries where the process starts and exits - sometimes in a
row:
0x89b3f868 userinit.exe 3808 548 0 -------- 0
0 2013-05-26 10:00:10 UTC+0000 2013-05-26 10:00:10 UTC+0000
0x89b89ad0 userinit.exe 3156 548 0 -------- 0
0 2013-05-26 10:00:28 UTC+0000 2013-05-26 10:00:28 UTC+0000
0x89b2a868 userinit.exe 3672 548 0 -------- 0
0 2013-05-26 11:30:11 UTC+0000 2013-05-26 11:30:11 UTC+0000
0x89afc020 userinit.exe 3388 548 0 -------- 0
0 2013-05-26 12:41:44 UTC+0000 2013-05-26 12:41:44 UTC+0000
0x89b49da0 userinit.exe 1336 548 0 -------- 0
0 2013-05-26 13:22:13 UTC+0000 2013-05-26 13:22:13 UTC+0000
and sometimes more spread out:
0x89c1da98 java.exe 4536 1368 0 -------- 0
0 2013-06-01 01:23:35 UTC+0000 2013-06-01 01:26:15 UTC+0000
0x89141020 cscript.exe 8608 4536 0 -------- 0
0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:24:14 UTC+0000
0x89142da0 wmiprvse.exe 3152 832 0 -------- 0
0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:25:42 UTC+0000
0x89144ac0 minituner.exe 1120 1368 0 -------- 0
0 2013-06-01 01:26:15 UTC+0000 2013-06-01 01:37:41 UTC+0000
0x8934d520 java.exe 9148 1368 0 -------- 0
0 2013-06-01 01:37:41 UTC+0000 2013-06-01 01:43:54 UTC+0000
0x8934e020 cscript.exe 7620 9148 0 -------- 0
0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:42:53 UTC+0000
0x895423b8 wmiprvse.exe 3664 832 0 -------- 0
0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:44:21 UTC+0000
0x895ce8a0 minituner.exe 9940 1368 0 -------- 0
0 2013-06-01 01:43:54 UTC+0000 2013-06-01 01:51:47 UTC+0000
0x893a3838 java.exe 4572 1368 0 -------- 0
0 2013-06-01 01:51:47 UTC+0000 2013-06-01 01:59:58 UTC+0000
Example of top processes by overall count of occurrence:
$ cat pslist.txt | awk '{print $2}' | sort | uniq -c | sort -nr
364 java.exe
362 minituner.exe
335 userinit.exe
301 wmiprvse.exe
219 cscript.exe
192 verclsid.exe
91 wuauclt.exe
37 regsvr32.exe
34 winlogon.exe
34 csrss.exe
[snip]
I've never come across this before so I'm wondering if this could be
attributed to the first responder not letting the system fully log them on
prior to taking the memory dump and therefore there was a lot of still
loading processes observed?
--
Glenn Edwards
@hiddenillusion
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Jesse Bowling
10:11 a.m.
much appreciated responses! ... I'll need to do some digging to see what's
causing this but MHL - you pointed out something that I hadn't thought of
yet and yes, the first responder did his work on 2013-06-01 so something
about the computer was messed up prior
On Fri, Jun 7, 2013 at 2:03 PM, Michael Hale Ligh <michael.hale(a)gmail.com>wrote:
Do you when approximately the first responder did his
work? It looks like
you've got some userinit.exe that started/stopped on 2013-05-26 and then
another batch on 2013-06-01. If the first responder got there on 2013-06-01,
then you know the weirdness wasn't anything caused by his actions since the
issue existed at least as early as 2013-05-26.
You scan the handles of running processes to see if any of them have open
handles to the terminated processes (see [1]). That may help explain why
they stuck around in the process list, but not why so many of the same
processes started in the first place.
IMO its not a bad capture and its probably not malicious. You might look
in the event logs (in particular the application one) to see if there are
any indications of the processes crashing and restarting.
MHL
[1]. http://mnin.blogspot.com/2011/03/mis-leading-active-in.html
On Fri, Jun 7, 2013 at 12:58 PM, Glenn Edwards <hiddenillusion(a)gmail.com>wrote:
--
Glenn Edwards
@hiddenillusion
The tool the IH used in this instance was Cyber
Marshal's wmr (
http://cybermarshal.com/index.php/cyber-marshal-utilities/windows-memory-re…
).
I've looked at dumps created by this tool in the past and this type of
output/behavior wasn't observed.
On Fri, Jun 7, 2013 at 12:51 PM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
I've had bad memory captures look a bit like
this...Can you share what
tool was used to collect the memory image?
Cheers,
Jesse
On Fri, Jun 7, 2013 at 12:04 PM, Glenn Edwards <hiddenillusion(a)gmail.com
--
Glenn Edwards
@hiddenillusion
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
wrote:
Background: The user logged off (I know, I know)
of the system
(WinXP) and the first responder logged back in under a different user and
took the memory dump.
When running pslist against the memory dump there're 2,423 entries.
I'm seeing a lot of entries where the process starts and exits - sometimes
in a row:
0x89b3f868 userinit.exe 3808 548 0 -------- 0
0 2013-05-26 10:00:10 UTC+0000 2013-05-26 10:00:10 UTC+0000
0x89b89ad0 userinit.exe 3156 548 0 -------- 0
0 2013-05-26 10:00:28 UTC+0000 2013-05-26 10:00:28 UTC+0000
0x89b2a868 userinit.exe 3672 548 0 -------- 0
0 2013-05-26 11:30:11 UTC+0000 2013-05-26 11:30:11 UTC+0000
0x89afc020 userinit.exe 3388 548 0 -------- 0
0 2013-05-26 12:41:44 UTC+0000 2013-05-26 12:41:44 UTC+0000
0x89b49da0 userinit.exe 1336 548 0 -------- 0
0 2013-05-26 13:22:13 UTC+0000 2013-05-26 13:22:13 UTC+0000
and sometimes more spread out:
0x89c1da98 java.exe 4536 1368 0 -------- 0
0 2013-06-01 01:23:35 UTC+0000 2013-06-01 01:26:15 UTC+0000
0x89141020 cscript.exe 8608 4536 0 -------- 0
0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:24:14 UTC+0000
0x89142da0 wmiprvse.exe 3152 832 0 -------- 0
0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:25:42 UTC+0000
0x89144ac0 minituner.exe 1120 1368 0 -------- 0
0 2013-06-01 01:26:15 UTC+0000 2013-06-01 01:37:41 UTC+0000
0x8934d520 java.exe 9148 1368 0 -------- 0
0 2013-06-01 01:37:41 UTC+0000 2013-06-01 01:43:54 UTC+0000
0x8934e020 cscript.exe 7620 9148 0 -------- 0
0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:42:53 UTC+0000
0x895423b8 wmiprvse.exe 3664 832 0 -------- 0
0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:44:21 UTC+0000
0x895ce8a0 minituner.exe 9940 1368 0 -------- 0
0 2013-06-01 01:43:54 UTC+0000 2013-06-01 01:51:47 UTC+0000
0x893a3838 java.exe 4572 1368 0 -------- 0
0 2013-06-01 01:51:47 UTC+0000 2013-06-01 01:59:58 UTC+0000
Example of top processes by overall count of occurrence:
$ cat pslist.txt | awk '{print $2}' | sort | uniq -c | sort -nr
364 java.exe
362 minituner.exe
335 userinit.exe
301 wmiprvse.exe
219 cscript.exe
192 verclsid.exe
91 wuauclt.exe
37 regsvr32.exe
34 winlogon.exe
34 csrss.exe
[snip]
I've never come across this before so I'm wondering if this could be
attributed to the first responder not letting the system fully log them on
prior to taking the memory dump and therefore there was a lot of still
loading processes observed?
--
Glenn Edwards
@hiddenillusion
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Jesse Bowling
4174
days inactive
4178
days old
vol-users@lists.volatilityfoundation.org
4 comments
3 participants
participants (3)
-
Glenn Edwards -
Jesse Bowling -
Michael Hale Ligh