from https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
noticed that several VMWare processes are running reader_sl is present, though probably not of interest this time! cmd.exe running checked through process-parent relationships to see who was started by whom
netscan/connections both show nothing sockets shows a bunch of stuff port 1026 potentially interesting as used by trojans (according to speedguide.net) as well as remote procedure calls port 1029, even worse report port 445 on SYSTEM process apparently a big potential vulnerability basically all ports mentioned in the sockets results seem dubious, with 445 and 1029 seeming worst System and an svchost instance
trying this module on various processes, i noticed that winlogon.exe does not originate from \Windows\System32 as expected winlogon.exe was also started by csrss.exe - when it's not supposed to have a parent process
tested a few processes by dumping them and uploading to virustotal several of my processes-of-interest returned red flags, but only a few each
running the consoles module on the dump, i saw something interesting in the csrss.exe process, "titled" as %SystemRoot%\system32\cmd.exe" ran 2 commands 1 typo, followed by "sc query malware". SEEMS LEGIT. "SERVICE_NAME: malware TYPE :1 KERNEL_DRIVER
attached process 544, who's that? - oh wait i noted this earlier. the cmd.exe process handle 0x4c4
grepped the output to find process 608 (csrss) started cmd.exe process 688 (lsass) recorded an event "PS_SERVICE_STARTED" a key? USER\S-1-5-21-839522115-73586283-2147125571-500_CLASSES. what's that?
shows active connections - hadn't heard of this. shows a connection from process 1956, local port 1026 to external 6666
at this point i stop following procdump 1956, upload to virustotal. LOTS of red flags.
grepped the contents of the explorer.exe process dump looking for the controller IP address found with connscan, didn't find much
explorer.exe would appear to be the malicious process it's communicating out to what is presumably a remote controller this process initiated several VMware processes as well as the cmd.exe process - and reader_sl.exe, though it seems clean a search tells me that R2D2 is ransomware, perhaps this is why the VMware processes exist - or perhaps they were simply created by whoever made the memory dump