GCIH Question #657: Real Exam Question with Answer & Explanation

The correct answer is C: Explorer.exe was the parent process for firefox.exe. Volatility's pstree plugin displays processes in an indented parent-child hierarchy, allowing analysts to determine which process spawned another. The correct answer reflects that Explorer.exe, as the Windows shell process, is typically the direct parent of applications launched

Malware Analysis & Advanced Persistent Threats

Question

Which of the following statements describes the data below from volatility's pstree plugin?

Exhibit

Options

ACmd.exe was the child process of OneDrive.exe
BChrmstp.exe was launched by MSASCuiL.exe
CExplorer.exe was the parent process for firefox.exe
DNotepad.exe was launched with Administrative privileges

Explanation

Volatility's pstree plugin displays processes in an indented parent-child hierarchy, allowing analysts to determine which process spawned another. The correct answer reflects that Explorer.exe, as the Windows shell process, is typically the direct parent of applications launched by a user.

Common mistakes.

A. The pstree data would show cmd.exe indented under a process such as explorer.exe or another shell host, not under OneDrive.exe, which is a file sync client with no operational reason to spawn a command shell.
B. Chrmstp.exe is a Chrome installer or setup component that would appear as a child of an update or installer process, not of MSASCuiL.exe, which is the Windows Defender system tray notification icon.
D. The pstree plugin output displays process names, PIDs, and parent-child nesting but does not report privilege levels or whether a process was launched with administrative rights.

Concept tested. Reading process parent-child relationships in Volatility pstree

Reference. https://volatility3.readthedocs.io/en/stable/

Topics

#Volatility#pstree#process tree#memory forensics

Community Discussion

No community discussion yet for this question.

Full GCIH Practice