Volatility Foundation Volatility Framework 2.5 ************************************************************************ reader_sl.exe pid: 228 Command line : "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Service Pack 2 --/volatility_2.5_linux_x64 -f OCSALY_Case_001/0zapftis.vmem --profile=WinXPSP2x86 dlllist -p 228 Base Size LoadCount Path ---------- ---------- ---------- ---- 0x00400000 0xa000 0xffff C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe 0x7c900000 0xb0000 0xffff C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf4000 0xffff C:\WINDOWS\system32\kernel32.dll 0x77d40000 0x90000 0xffff C:\WINDOWS\system32\USER32.dll 0x77f10000 0x46000 0xffff C:\WINDOWS\system32\GDI32.dll 0x77dd0000 0x9b000 0xffff C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x91000 0xffff C:\WINDOWS\system32\RPCRT4.dll 0x7c9c0000 0x814000 0xffff C:\WINDOWS\system32\SHELL32.dll 0x77c10000 0x58000 0xffff C:\WINDOWS\system32\msvcrt.dll 0x77f60000 0x76000 0xffff C:\WINDOWS\system32\SHLWAPI.dll 0x7c420000 0x87000 0xffff C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll 0x78130000 0x9b000 0xffff C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll 0x10000000 0x59000 0x1 C:\WINDOWS\system32\mfc42ul.dll 0x71ab0000 0x17000 0x2 C:\WINDOWS\system32\WS2_32.dll 0x71aa0000 0x8000 0x1 C:\WINDOWS\system32\WS2HELP.dll 0x71f60000 0x8000 0x1 C:\WINDOWS\system32\snmpapi.dll 0x77c00000 0x8000 0x1 C:\WINDOWS\system32\VERSION.dll 0x773d0000 0x102000 0x1 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 0x5d090000 0x97000 0x1 C:\WINDOWS\system32\comctl32.dll 0x5ad70000 0x38000 0x2 C:\WINDOWS\system32\uxtheme.dll └─$ ./volatility_2.5_linux_x64 -f OCSALY_Case_001/0zapftis.vmem --profile=WinXPSP2x86 -p 228 ldrmodules Volatility Foundation Volatility Framework 2.5 Pid Process Base InLoad InInit InMem MappedPath -------- -------------------- ---------- ------ ------ ----- ---------- 228 reader_sl.exe 0x77d40000 True True True \WINDOWS\system32\user32.dll 228 reader_sl.exe 0x00400000 True False True \Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe 228 reader_sl.exe 0x78130000 True True True \WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll 228 reader_sl.exe 0x77f60000 True True True \WINDOWS\system32\shlwapi.dll 228 reader_sl.exe 0x7c420000 True True True \WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll 228 reader_sl.exe 0x71ab0000 True True True \WINDOWS\system32\ws2_32.dll 228 reader_sl.exe 0x71f60000 True True True \WINDOWS\system32\snmpapi.dll 228 reader_sl.exe 0x77c00000 True True True \WINDOWS\system32\version.dll 228 reader_sl.exe 0x5ad70000 True True True \WINDOWS\system32\uxtheme.dll 228 reader_sl.exe 0x77dd0000 True True True \WINDOWS\system32\advapi32.dll 228 reader_sl.exe 0x7c900000 True True True \WINDOWS\system32\ntdll.dll 228 reader_sl.exe 0x5d090000 True True True \WINDOWS\system32\comctl32.dll 228 reader_sl.exe 0x77e70000 True True True \WINDOWS\system32\rpcrt4.dll 228 reader_sl.exe 0x77f10000 True True True \WINDOWS\system32\gdi32.dll 228 reader_sl.exe 0x7c800000 True True True \WINDOWS\system32\kernel32.dll 228 reader_sl.exe 0x773d0000 True True True \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 228 reader_sl.exe 0x7c9c0000 True True True \WINDOWS\system32\shell32.dll 228 reader_sl.exe 0x10000000 True True True \WINDOWS\system32\mfc42ul.dll 228 reader_sl.exe 0x77c10000 True True True \WINDOWS\system32\msvcrt.dll 228 reader_sl.exe 0x71aa0000 True True True \WINDOWS\system32\ws2help.dll ┌──(kali㉿kali)-[~/Desktop/volatility/volatility] └─$ ./volatility_2.5_linux_x64 -f OCSALY_Case_001/0zapftis.vmem --profile=WinXPSP2x86 psxview Volatility Foundation Volatility Framework 2.5 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- -------- 0x015a9020 winlogon.exe 632 True True True True True True True 0x018da020 services.exe 676 True True True True True True True 0x0156c5a0 alg.exe 1616 True True True True True True True 0x018d63d0 VMwareTray.exe 184 True True True True True True True 0x019757f0 svchost.exe 916 True True True True True True True 0x015c4020 lsass.exe 688 True True True True True True True 0x01972ca8 vmacthlp.exe 832 True True True True True True True 0x019a34b0 cmd.exe 544 True True True True True True True 0x0187e9d0 svchost.exe 848 True True True True True True True 0x017daca8 svchost.exe 1020 True True True True True True True 0x01954990 VMwareService.e 1444 True True True True True True True 0x018c6da0 svchost.exe 964 True True True True True True True 0x01a233c8 reader_sl.exe 228 True True True True True True True 0x017e7be0 wuauclt.exe 400 True True True True True True True 0x019937e0 spoolsv.exe 1260 True True True True True True True 0x015bcda0 explorer.exe 1956 True True True True True True True 0x017c4da0 wscntfy.exe 1920 True True True True True True True 0x01a0b478 VMwareUser.exe 192 True True True True True True True 0x015aeda0 svchost.exe 1148 True True True True True True True 0x01bcc830 System 4 True True True True False False False 0x01b45020 smss.exe 536 True True True True False False False 0x018c6020 csrss.exe 608 True True True True False True True