--------------- PSXVIEW-------------- Volatility Foundation Volatility Framework 2.5 Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime ---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- -------- 0x015a9020 winlogon.exe 632 True True True True True True True 0x018da020 services.exe 676 True True True True True True True 0x0156c5a0 alg.exe 1616 True True True True True True True 0x018d63d0 VMwareTray.exe 184 True True True True True True True 0x019757f0 svchost.exe 916 True True True True True True True 0x015c4020 lsass.exe 688 True True True True True True True 0x01972ca8 vmacthlp.exe 832 True True True True True True True 0x019a34b0 cmd.exe 544 True True True True True True True 0x0187e9d0 svchost.exe 848 True True True True True True True 0x017daca8 svchost.exe 1020 True True True True True True True 0x01954990 VMwareService.e 1444 True True True True True True True 0x018c6da0 svchost.exe 964 True True True True True True True 0x01a233c8 reader_sl.exe 228 True True True True True True True 0x017e7be0 wuauclt.exe 400 True True True True True True True 0x019937e0 spoolsv.exe 1260 True True True True True True True 0x015bcda0 explorer.exe 1956 True True True True True True True 0x017c4da0 wscntfy.exe 1920 True True True True True True True 0x01a0b478 VMwareUser.exe 192 True True True True True True True 0x015aeda0 svchost.exe 1148 True True True True True True True 0x01bcc830 System 4 True True True True False False False 0x01b45020 smss.exe 536 True True True True False False False 0x018c6020 csrss.exe 608 True True True True False True True Volatility Foundation Volatility Framework 2.5 Offset(P) Name PID PPID PDB Time created ------------------ ---------------- ------ ------ ---------- ---------------------------- 0x000000000156c5a0 alg.exe 1616 676 0x05e001e0 2011-10-10 17:04:01 UTC+0000 0x00000000015a9020 winlogon.exe 632 536 0x05e00060 2011-10-10 17:03:58 UTC+0000 0x00000000015aeda0 svchost.exe 1148 676 0x05e00180 2011-10-10 17:04:00 UTC+0000 0x00000000015bcda0 explorer.exe 1956 1884 0x05e00220 2011-10-10 17:04:39 UTC+0000 0x00000000015c4020 lsass.exe 688 632 0x05e000a0 2011-10-10 17:03:58 UTC+0000 0x00000000017c4da0 wscntfy.exe 1920 964 0x05e00240 2011-10-10 17:04:39 UTC+0000 0x00000000017daca8 svchost.exe 1020 676 0x05e00140 2011-10-10 17:03:59 UTC+0000 0x00000000017e7be0 wuauclt.exe 400 964 0x05e002c0 2011-10-10 17:04:46 UTC+0000 0x000000000187e9d0 svchost.exe 848 676 0x05e000e0 2011-10-10 17:03:59 UTC+0000 0x00000000018c6020 csrss.exe 608 536 0x05e00040 2011-10-10 17:03:58 UTC+0000 0x00000000018c6da0 svchost.exe 964 676 0x05e00120 2011-10-10 17:03:59 UTC+0000 0x00000000018d63d0 VMwareTray.exe 184 1956 0x05e00160 2011-10-10 17:04:41 UTC+0000 0x00000000018da020 services.exe 676 632 0x05e00080 2011-10-10 17:03:58 UTC+0000 0x0000000001954990 VMwareService.e 1444 676 0x05e001c0 2011-10-10 17:04:00 UTC+0000 0x0000000001972ca8 vmacthlp.exe 832 676 0x05e000c0 2011-10-10 17:03:59 UTC+0000 0x00000000019757f0 svchost.exe 916 676 0x05e00100 2011-10-10 17:03:59 UTC+0000 0x00000000019937e0 spoolsv.exe 1260 676 0x05e001a0 2011-10-10 17:04:00 UTC+0000 0x00000000019a34b0 cmd.exe 544 1956 0x05e00200 2011-10-10 17:06:42 UTC+0000 0x0000000001a0b478 VMwareUser.exe 192 1956 0x05e00260 2011-10-10 17:04:41 UTC+0000 0x0000000001a233c8 reader_sl.exe 228 1956 0x05e00280 2011-10-10 17:04:41 UTC+0000 0x0000000001b45020 smss.exe 536 4 0x05e00020 2011-10-10 17:03:56 UTC+0000 0x0000000001bcc830 System 4 0 0x00319000 Volatility Foundation Volatility Framework 2.5 Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x000000000156c5a0 alg.exe 1616 676 0x05e001e0 2011-10-10 17:04:01 UTC+0000 0x00000000015a9020 winlogon.exe 632 536 0x05e00060 2011-10-10 17:03:58 UTC+0000 0x00000000015aeda0 svchost.exe 1148 676 0x05e00180 2011-10-10 17:04:00 UTC+0000 0x00000000015bcda0 explorer.exe 1956 1884 0x05e00220 2011-10-10 17:04:39 UTC+0000 0x00000000015c4020 lsass.exe 688 632 0x05e000a0 2011-10-10 17:03:58 UTC+0000 0x00000000017c4da0 wscntfy.exe 1920 964 0x05e00240 2011-10-10 17:04:39 UTC+0000 0x00000000017daca8 svchost.exe 1020 676 0x05e00140 2011-10-10 17:03:59 UTC+0000 0x00000000017e7be0 wuauclt.exe 400 964 0x05e002c0 2011-10-10 17:04:46 UTC+0000 0x000000000187e9d0 svchost.exe 848 676 0x05e000e0 2011-10-10 17:03:59 UTC+0000 0x00000000018c6020 csrss.exe 608 536 0x05e00040 2011-10-10 17:03:58 UTC+0000 0x00000000018c6da0 svchost.exe 964 676 0x05e00120 2011-10-10 17:03:59 UTC+0000 0x00000000018d63d0 VMwareTray.exe 184 1956 0x05e00160 2011-10-10 17:04:41 UTC+0000 0x00000000018da020 services.exe 676 632 0x05e00080 2011-10-10 17:03:58 UTC+0000 0x0000000001954990 VMwareService.e 1444 676 0x05e001c0 2011-10-10 17:04:00 UTC+0000 0x0000000001972ca8 vmacthlp.exe 832 676 0x05e000c0 2011-10-10 17:03:59 UTC+0000 0x00000000019757f0 svchost.exe 916 676 0x05e00100 2011-10-10 17:03:59 UTC+0000 0x00000000019937e0 spoolsv.exe 1260 676 0x05e001a0 2011-10-10 17:04:00 UTC+0000 0x00000000019a34b0 cmd.exe 544 1956 0x05e00200 2011-10-10 17:06:42 UTC+0000 0x0000000001a0b478 VMwareUser.exe 192 1956 0x05e00260 2011-10-10 17:04:41 UTC+0000 0x0000000001a233c8 reader_sl.exe 228 1956 0x05e00280 2011-10-10 17:04:41 UTC+0000 0x0000000001b45020 smss.exe 536 4 0x05e00020 2011-10-10 17:03:56 UTC+0000 0x0000000001bcc830 System 4 0 0x00319000