A review of the results from a variety of sources has indicated that the process 1640 and the associated executable Reader_sl.exe are suspected of containing malware. While the data thus far is very useful, it is often necessary to obtain confirmation from external sources that the executable in question is malicious. This can include something as simple as checking the hash of the executable against third-party sources all the way to forwarding the executable to a malware reverse engineering team.
To acquire the executable from the memory image, utilize the procdump plugin. The following command will dump the executable to the selected folder:
volatility -f cridex_laptop.mem --profile=WinXPSP2x86 -p 1640 procdump --dump-dir /mnt/d/Suspicious_Process_PID_1640/
The command produces the following output:
A check of the folder where the files were dumped to reveals that the executable, memory space, and the DLL files have all been successfully acquired:
Once the files have been acquired, they can then be analyzed for malware, either by the incident response team or through a separate malware analysis team. These files will make up a significant portion of the analysis in Chapter 12, Malware Analysis for Incident Response.