2

I used win64dd.exe to get a memory image on a 64-bit computer running Windows 7 and had Mandiant Redline analyze the image. One of the things marked red was one of the svchost.exe processes. Redline says

This process has a module which imports a suspicious Handle: (Process) hkcmd.exe
"svchost.exe has potentially spawned a command shell.  This is abnormal, and may be an
indicator of malicious activity.".

How should I proceed from here? Is there a way for me to export information about this process and upload it to some website to be further analyzed?

I'm going to have Norton scan the computer and see if it finds anything (besides tracking cookies).

1 Answers1

1

Spawning a shell usually means someone dropped a reverse-shell exploit into your process.

Do a memory dump of the process:

procdump -mp <processID>

This might lead to an unstable system, so save your work and close all apps first.

From there, you can load the dump into WinDbg and analyse it. However, this isn't a trivial process - even setting up WinDbg can be a pain if you've never done it before. If you can upload it somewhere (public dropbox?) I can probably take a look and discover what's going on.

Polynomial
  • 135,049
  • 43
  • 306
  • 382