[Vol-users] diagnose problematic ram dump?

Dewhirst, Rob robdewhirst at gmail.com
Tue Nov 5 18:49:53 CST 2013


output attached as text file.  Pslist=nope, psscan found some but not
all of the processes

On Tue, Nov 5, 2013 at 5:14 PM, Michael Hale Ligh
<michael.hale at gmail.com> wrote:
> Hi Rob,
>
> I would suggest trying the two commands:
>
> $ python vol.py -f <FILE> --profile= Win7SP1x64 --dtb=0x187000 pslist
>
> And
>
> $ python vol.py -f <FILE> --profile= Win7SP1x64 --dtb=0x187000 psscan
>
> If neither of those have output, its likely an acquisition issue. I would
> recommend contacting Michael Cohen (scudette), the author and maintainer of
> winpmem.
>
> Cheers,
> MHL
>
>
> On Tue, Nov 5, 2013 at 6:08 PM, Andrew Case <atcuno at gmail.com> wrote:
>>
>> Which tool did you use to acquire?
>>
>> Sent from my droid --
>>
>> On Nov 5, 2013 4:14 PM, "Dewhirst, Rob" <robdewhirst at gmail.com> wrote:
>>>
>>> I have a Win7SP1x64 image with the following issues:
>>>
>>>
>>> imageinfo never completes (this is as far as it gets)
>>>
>>>
>>> Determining profile based on KDBG search...
>>>
>>>           Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
>>> Win7SP0x64, Win2008R2SP1x64
>>>                      AS Layer1 : AMD64PagedMemory (Kernel AS)
>>>                      AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
>>>                       PAE type : No PAE
>>>                            DTB : 0x187000L
>>>
>>>
>>> pslist shows no processes
>>> netscan shows no connections.
>>>
>>> I am using Volatility 2.3.1 on linux, but I have tried the standalone
>>> windows exe with the same results.
>>> Image was collected with winpmem 1.4.1, and I watched the capture.  I
>>> did not see any errors and it seemed to take about the right amount of
>>> time.
>>>
>>> What would be my next steps to troubleshoot?
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
-------------- next part --------------
$ python Volatility/vol.py -f xxxx.raw --profile=Win7SP1x64 --dtb=0x187000 pslist
Volatility Foundation Volatility Framework 2.3.1
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit 
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8003866040                           0 69...4      0 -------- ------      0                                     

$ python Volatility/vol.py -f xxxx.raw --profile=Win7SP1x64 --dtb=0x187000 psscan


Offset(P)          Name                PID   PPID PDB                Time created                   Time exited
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x00000000001ddb30 cmd.exe            1328   6856 0x00000000af93a000 2013-10-23 09:37:21 UTC+0000   2013-10-23 09:37:21 UTC+0000
0x00000000031f99e0 cmd.exe           12996   6856 0x000000006aefc000 2013-10-24 17:06:20 UTC+0000   2013-10-24 17:06:20 UTC+0000
0x000000003a82d9e0 cmd.exe           12996   6856 0x000000006aefc000 2013-10-24 17:06:20 UTC+0000   2013-10-24 17:06:20 UTC+0000
0x0000000074bc0b30 cmd.exe            1328   6856 0x00000000af93a000 2013-10-23 09:37:21 UTC+0000   2013-10-23 09:37:21 UTC+0000
0x0000000097ef19e0 cmd.exe           12996   6856 0x000000006aefc000 2013-10-24 17:06:20 UTC+0000   2013-10-24 17:06:20 UTC+0000
0x00000000cc0d99e0 cmd.exe           12996   6856 0x000000006aefc000 2013-10-24 17:06:20 UTC+0000   2013-10-24 17:06:20 UTC+0000
0x000000010414d688 cmd.exe            8968   3076 0x000000009e6c9000 2013-10-18 05:48:32 UTC+0000   2013-10-18 05:48:32 UTC+0000
0x000000010b8bf270 cmd.exe            8968   3076 0x000000009e6c9000 2013-10-18 05:48:32 UTC+0000   2013-10-18 05:48:32 UTC+0000
0x0000000111ba7588 cmd.exe            8968   3076 0x000000009e6c9000 2013-10-18 05:48:32 UTC+0000   2013-10-18 05:48:32 UTC+0000
0x0000000117a0e9e0 cmd.exe           12996   6856 0x000000006aefc000 2013-10-24 17:06:20 UTC+0000   2013-10-24 17:06:20 UTC+0000
0x00000001251c7060 cmd.exe            1236   6856 0x0000000032a0d000 2013-10-23 04:32:20 UTC+0000   2013-10-23 04:32:22 UTC+0000
0x00000001251cc190 cmd.exe           10804   6856 0x00000000cc5b5000 2013-10-29 06:49:43 UTC+0000   2013-10-29 06:49:46 UTC+0000
0x00000001252fbb30 cmd.exe            7628   6856 0x0000000078f7b000 2013-10-30 17:23:43 UTC+0000   2013-10-30 17:23:46 UTC+0000
0x00000001253a5060 svchost.exe        3128    448 0x000000004cfec000 2013-10-11 13:04:52 UTC+0000
0x00000001253b1b30 atieclxx.exe       2068    756 0x000000004f9f1000 2013-10-11 13:04:51 UTC+0000
0x0000000125503b30 svchost.exe        2864    448 0x0000000035806000 2013-10-11 13:04:33 UTC+0000
0x000000012551fb30 cmd.exe            8000   3076 0x00000000636db000 2013-10-21 00:53:32 UTC+0000   2013-10-21 00:53:33 UTC+0000
0x0000000125540b30 cmd.exe           10516   6856 0x0000000093360000 2013-10-23 08:36:20 UTC+0000   2013-10-23 08:36:21 UTC+0000
0x000000012556c4b0 Foxit Updater.     2224   2128 0x000000001e7b9000 2013-10-22 15:51:26 UTC+0000   2013-10-31 14:22:15 UTC+0000
0x00000001255b81b0 cmd.exe            7960   3076 0x000000003db7d000 2013-10-17 21:40:32 UTC+0000   2013-10-17 21:40:32 UTC+0000
0x00000001255bba60 cmd.exe           11652   6856 0x000000006e74b000 2013-10-23 23:49:20 UTC+0000   2013-10-23 23:49:21 UTC+0000
0x00000001255cf8a0 cmd.exe           13276   6856 0x00000000b4cca000 2013-10-25 11:23:34 UTC+0000   2013-10-25 11:23:35 UTC+0000
0x0000000125631620 cmd.exe           12496   6856 0x000000007515d000 2013-10-27 10:07:43 UTC+0000   2013-10-27 10:07:44 UTC+0000
0x000000012571e1c0 cmd.exe            1308   6856 0x0000000098759000 2013-10-22 23:27:20 UTC+0000   2013-10-22 23:27:20 UTC+0000
0x0000000125731b30 CcmExec.exe        2144    448 0x000000003c412000 2013-10-11 13:04:29 UTC+0000
0x000000012578cb30 cmd.exe            8284   6856 0x0000000034c7e000 2013-10-29 08:51:43 UTC+0000   2013-10-29 08:51:44 UTC+0000
0x00000001257c1b30 cmd.exe           15544   6856 0x0000000062366000 2013-10-31 05:34:43 UTC+0000   2013-10-31 05:34:44 UTC+0000
0x00000001257eab30 cmd.exe            8188   3076 0x0000000017458000 2013-10-17 20:38:32 UTC+0000   2013-10-17 20:38:34 UTC+0000
0x00000001258cf660 cmd.exe            1468   3076 0x00000000bd156000 2013-10-17 10:29:32 UTC+0000   2013-10-17 10:29:34 UTC+0000
0x000000012593e4d0 svchost.exe        1660    448 0x0000000066a21000 2013-10-11 13:04:27 UTC+0000
0x0000000125946b30 cmd.exe            9820   3076 0x0000000112b5a000 2013-10-20 12:40:32 UTC+0000   2013-10-20 12:40:34 UTC+0000
0x000000012595e060 svchost.exe        1720    448 0x0000000068d6a000 2013-10-11 13:04:27 UTC+0000
0x000000012599cb30 cmd.exe            6520   3076 0x00000000bfcf4000 2013-10-19 10:15:32 UTC+0000   2013-10-19 10:15:32 UTC+0000
0x00000001259a3060 WmiPrvSE.exe       2212    632 0x0000000026a04000 2013-10-11 13:04:48 UTC+0000
0x0000000125a37060 ALsvc.exe          1980    448 0x00000000622a3000 2013-10-11 13:04:28 UTC+0000
0x0000000125a9f060 cmd.exe           11696   6856 0x0000000021285000 2013-10-25 04:16:34 UTC+0000   2013-10-25 04:16:34 UTC+0000
0x0000000125abb740 svchost.exe        1152    448 0x00000000626f6000 2013-10-11 13:04:29 UTC+0000
0x0000000125b25470 cmd.exe           14212   6856 0x000000006956b000 2013-10-28 05:26:43 UTC+0000   2013-10-28 05:26:45 UTC+0000
0x0000000125b445b0 svchost.exe        1776    448 0x0000000067f34000 2013-10-11 13:04:27 UTC+0000
0x0000000125b6f960 cmd.exe           12708   6856 0x000000002e185000 2013-10-23 18:44:20 UTC+0000   2013-10-23 18:44:20 UTC+0000
0x0000000125be4320 chrome.exe        10244  12964 0x0000000079d60000 2013-10-28 21:03:04 UTC+0000   2013-10-31 14:22:07 UTC+0000
0x0000000125bf1060 cmd.exe           10140   3076 0x000000010ad60000 2013-10-19 09:13:32 UTC+0000   2013-10-19 09:13:35 UTC+0000
0x0000000125c1a060 SAVAdminServic    12256    448 0x0000000025102000 2013-10-21 15:11:56 UTC+0000
0x0000000125c23670 svchost.exe        1404    448 0x0000000046fd8000 2013-10-11 13:04:26 UTC+0000
0x0000000125c673d0 taskhost.exe       4956    448 0x00000000b72cf000 2013-10-31 05:05:24 UTC+0000   2013-10-31 05:05:37 UTC+0000
0x0000000125ca8060 spoolsv.exe        1512    448 0x000000006b0ee000 2013-10-11 13:04:27 UTC+0000
0x0000000125cb1060 cmd.exe           12396   6856 0x000000001e7cc000 2013-10-24 13:02:20 UTC+0000   2013-10-24 13:02:21 UTC+0000
0x0000000125d25060 cmd.exe            9288   3076 0x0000000091dcb000 2013-10-19 21:26:32 UTC+0000   2013-10-19 21:26:32 UTC+0000
0x0000000125d39600 cmd.exe            5336   6856 0x00000000027de000 2013-10-26 07:42:43 UTC+0000   2013-10-26 07:42:44 UTC+0000
0x0000000125d3d960 cmd.exe            6788   3076 0x000000003516e000 2013-10-18 02:44:31 UTC+0000   2013-10-18 02:44:31 UTC+0000
0x0000000125d4eb30 cmd.exe            3136   3076 0x000000011c351000 2013-10-18 03:45:31 UTC+0000   2013-10-18 03:45:32 UTC+0000
0x0000000125d69610 RouterNT.exe       2036    448 0x000000005fba1000 2013-10-11 13:04:28 UTC+0000
0x0000000125da7b30 cmd.exe            7200   3076 0x000000008fe13000 2013-10-21 06:57:31 UTC+0000   2013-10-21 06:57:35 UTC+0000
0x0000000125dc1b30 cmd.exe            8612   6856 0x0000000072f0c000 2013-10-26 10:45:43 UTC+0000   2013-10-26 10:45:44 UTC+0000
0x0000000125df35f0 cmd.exe           12868   6856 0x0000000000ceb000 2013-10-26 19:53:43 UTC+0000   2013-10-26 19:53:44 UTC+0000
0x0000000125dfeb30 cmd.exe            3184   6856 0x0000000112939000 2013-10-26 06:41:44 UTC+0000   2013-10-26 06:41:45 UTC+0000
0x0000000125e25b30 cmd.exe           10580   3076 0x000000008c9a9000 2013-10-20 17:46:32 UTC+0000   2013-10-20 17:46:33 UTC+0000
0x0000000125e81b30 cmd.exe            4796   6856 0x0000000043c4e000 2013-10-23 16:42:20 UTC+0000   2013-10-23 16:42:23 UTC+0000
0x0000000125e8c5d0 cmd.exe            5128   6856 0x000000005ffaf000 2013-10-25 21:32:43 UTC+0000   2013-10-25 21:32:43 UTC+0000
0x0000000125ea2820 cmd.exe            8460   3076 0x000000008bb99000 2013-10-18 07:50:32 UTC+0000   2013-10-18 07:50:33 UTC+0000
0x0000000125ebfb30 cmd.exe           13288   6856 0x00000001029f4000 2013-10-23 01:29:20 UTC+0000   2013-10-23 01:29:21 UTC+0000
0x0000000125f0d330 cmd.exe            6644   6856 0x0000000110c19000 2013-10-26 01:36:44 UTC+0000   2013-10-26 01:36:44 UTC+0000
0x0000000125f1f4b0 lmi_rescue.exe     7576   9116 0x000000008c445000 2013-10-31 14:30:11 UTC+0000
0x0000000125f1fb30 cmd.exe            3412   3076 0x000000000043e000 2013-10-16 23:17:32 UTC+0000   2013-10-16 23:17:34 UTC+0000
0x0000000125f23440 ra64app.exe        4340   7576 0x0000000047903000 2013-10-31 14:30:11 UTC+0000   2013-10-31 14:30:12 UTC+0000
0x0000000125f295b0 cmd.exe            9380   6856 0x000000010a255000 2013-10-29 10:53:43 UTC+0000   2013-10-29 10:53:44 UTC+0000
0x0000000125f31060 cmd.exe            6428   3076 0x000000006ea75000 2013-10-20 07:36:32 UTC+0000   2013-10-20 07:36:33 UTC+0000
0x0000000125f36700 cmd.exe            5352   3076 0x00000001022d3000 2013-10-20 02:31:32 UTC+0000   2013-10-20 02:31:32 UTC+0000
0x0000000125f67b30 svchost.exe         332    448 0x000000007ec27000 2013-10-11 13:04:13 UTC+0000
0x0000000125f7c060 svchost.exe         576    448 0x000000007f42c000 2013-10-11 13:04:13 UTC+0000
0x0000000125f99060 SavService.exe     1032    448 0x000000007eeb4000 2013-10-11 13:04:13 UTC+0000   2013-10-21 15:10:45 UTC+0000
0x0000000125fafb30 cmd.exe            7500   6856 0x000000006c7be000 2013-10-29 23:05:43 UTC+0000   2013-10-29 23:05:43 UTC+0000
0x0000000125fd2b30 cmd.exe            9660   3076 0x000000006ba57000 2013-10-19 07:12:32 UTC+0000   2013-10-19 07:12:33 UTC+0000
0x0000000125fd31b0 taskeng.exe       16016    948 0x00000001107fd000 2013-10-31 14:35:59 UTC+0000
0x0000000126001b30 cmd.exe            7440   6856 0x000000006e1f3000 2013-10-25 06:18:34 UTC+0000   2013-10-25 06:18:35 UTC+0000
0x000000012600f5c0 cmd.exe           10812   6856 0x000000007c0fe000 2013-10-24 19:07:34 UTC+0000   2013-10-24 19:07:35 UTC+0000
0x000000012601eb30 cmd.exe            1920   6856 0x000000010ec66000 2013-10-29 11:54:44 UTC+0000   2013-10-29 11:54:44 UTC+0000
0x0000000126022060 svchost.exe        3896    448 0x0000000026761000 2013-10-11 13:06:34 UTC+0000
0x00000001260249d0 ManagementAgen     1876    448 0x000000004e740000 2013-10-11 13:04:27 UTC+0000
0x000000012605d060 cmd.exe           10652   3076 0x0000000022f3e000 2013-10-20 08:36:31 UTC+0000   2013-10-20 08:36:32 UTC+0000
0x0000000126068060 svchost.exe        1540    448 0x00000000454d8000 2013-10-11 13:04:27 UTC+0000
0x0000000126082060 cmd.exe            6608   3076 0x0000000085f9f000 2013-10-20 01:29:31 UTC+0000   2013-10-20 01:29:32 UTC+0000
0x0000000126084300 cmd.exe           11584   3580 0x000000003cc9a000 2013-10-31 14:38:03 UTC+0000
0x0000000126123470 svchost.exe         840    448 0x000000008b33d000 2013-10-11 13:04:09 UTC+0000
0x0000000126135310 SearchIndexer.     3972    448 0x000000002836e000 2013-10-11 13:06:36 UTC+0000
0x00000001261535c0 svchost.exe         916    448 0x0000000073455000 2013-10-11 13:04:09 UTC+0000
0x0000000126168410 cmd.exe            4140   6856 0x000000010f5b1000 2013-10-30 22:27:43 UTC+0000   2013-10-30 22:27:43 UTC+0000
0x0000000126169060 schtasks.exe      12248   6856 0x0000000108b0b000 2013-10-23 05:33:27 UTC+0000
0x000000012616e9e0 svchost.exe         948    448 0x0000000072f5f000 2013-10-11 13:04:09 UTC+0000
0x0000000126191a30 cmd.exe            4756   3076 0x0000000015f32000 2013-10-20 03:32:32 UTC+0000   2013-10-20 03:32:32 UTC+0000
0x00000001261eab30 cmd.exe            6260   3076 0x000000011d689000 2013-10-19 22:26:31 UTC+0000   2013-10-19 22:26:32 UTC+0000
0x00000001261ed940 cmd.exe            1476   6856 0x00000000be609000 2013-10-27 13:10:43 UTC+0000   2013-10-27 13:10:44 UTC+0000
0x0000000126206740 cmd.exe           13580   6856 0x000000000af42000 2013-10-26 08:43:43 UTC+0000   2013-10-26 08:43:43 UTC+0000
0x00000001262bd3d0 cmd.exe           14264   6856 0x0000000091846000 2013-10-28 20:39:43 UTC+0000   2013-10-28 20:39:44 UTC+0000
0x00000001262d2b30 cmd.exe           11300   6856 0x00000000311ee000 2013-10-29 14:57:43 UTC+0000   2013-10-29 14:57:44 UTC+0000
0x00000001262f83d0 cmd.exe            5060   6856 0x0000000032b55000 2013-10-25 20:31:43 UTC+0000   2013-10-25 20:31:44 UTC+0000
0x00000001263138a0 chrome.exe        11008  12964 0x0000000083bd2000 2013-10-29 16:31:10 UTC+0000   2013-10-31 14:20:38 UTC+0000
0x0000000126382b30 SavService.exe     2116    448 0x00000001069b8000 2013-10-21 15:11:55 UTC+0000
0x000000012639c310 cmd.exe           11284   6856 0x0000000098a4e000 2013-10-22 20:24:21 UTC+0000   2013-10-22 20:24:22 UTC+0000
0x00000001263b3b30 ra64app.exe       10132   9116 0x000000010bdec000 2013-10-31 14:30:11 UTC+0000   2013-10-31 14:30:11 UTC+0000
0x00000001263cc620 UI0Detect.exe     11564    448 0x00000000754a2000 2013-10-21 15:11:04 UTC+0000
0x00000001263f5850 cmd.exe            6572   3076 0x000000000bd32000 2013-10-18 00:43:32 UTC+0000   2013-10-18 00:43:33 UTC+0000
0x0000000126413280 cmd.exe           11928   6856 0x0000000014c66000 2013-10-23 20:46:20 UTC+0000   2013-10-23 20:46:22 UTC+0000
0x0000000126415b30 cmd.exe            9100   3076 0x0000000011dd6000 2013-10-17 22:40:32 UTC+0000   2013-10-17 22:40:32 UTC+0000
0x000000012642bb30 cmd.exe           11204   6856 0x0000000010e75000 2013-10-31 03:32:43 UTC+0000   2013-10-31 03:32:44 UTC+0000
0x0000000126444060 cmd.exe           12168   6856 0x0000000097025000 2013-10-27 06:03:43 UTC+0000   2013-10-27 06:03:44 UTC+0000
0x00000001264a69e0 svchost.exe         632    448 0x000000008c56e000 2013-10-11 13:04:09 UTC+0000
0x00000001264af060 svchost.exe         712    448 0x000000007584c000 2013-10-11 13:04:09 UTC+0000
0x00000001264bb1d0 cmd.exe           10100   3076 0x000000004ceb0000 2013-10-19 01:05:31 UTC+0000   2013-10-19 01:05:31 UTC+0000
0x00000001264ea370 atiesrxx.exe        756    448 0x000000008bd37000 2013-10-11 13:04:09 UTC+0000
0x0000000126619b30 cmd.exe            4776   6856 0x0000000069148000 2013-10-24 15:04:20 UTC+0000   2013-10-24 15:04:20 UTC+0000
0x0000000126632060 wininit.exe         396    308 0x0000000091574000 2013-10-11 13:04:06 UTC+0000
0x0000000126638b30 csrss.exe           412    388 0x000000007ec16000 2013-10-11 13:04:06 UTC+0000
0x0000000126663b30 swc_service.ex     1112    448 0x00000001107f2000 2013-10-21 15:11:47 UTC+0000
0x0000000126688060 lsass.exe           464    396 0x000000007d953000 2013-10-11 13:04:06 UTC+0000
0x000000012668e590 lsm.exe             472    396 0x000000007d999000 2013-10-11 13:04:06 UTC+0000
0x00000001266b3b30 services.exe        448    396 0x0000000090b6c000 2013-10-11 13:04:06 UTC+0000
0x00000001266cab30 winlogon.exe        544    388 0x000000007be5c000 2013-10-11 13:04:07 UTC+0000
0x00000001267d5060 cmd.exe            6972   3076 0x00000000cc7f4000 2013-10-18 12:54:31 UTC+0000   2013-10-18 12:54:32 UTC+0000
0x00000001267e6b30 cmd.exe           10148   3076 0x0000000022651000 2013-10-19 15:19:31 UTC+0000   2013-10-19 15:19:34 UTC+0000
0x000000012680b310 cmd.exe           15376   6856 0x0000000033f07000 2013-10-30 18:24:43 UTC+0000   2013-10-30 18:24:47 UTC+0000
0x0000000126818b30 cmd.exe            2612   6856 0x00000000904b8000 2013-10-26 15:49:43 UTC+0000   2013-10-26 15:49:44 UTC+0000
0x000000012683d290 cmd.exe            9348   3076 0x000000006de30000 2013-10-18 18:59:31 UTC+0000   2013-10-18 18:59:32 UTC+0000
0x000000012684db30 cmd.exe           10492   3076 0x000000003810b000 2013-10-20 15:44:32 UTC+0000   2013-10-20 15:44:33 UTC+0000
0x000000012685fb30 cmd.exe            7444   3076 0x0000000066c66000 2013-10-18 19:00:32 UTC+0000   2013-10-18 19:00:32 UTC+0000
0x0000000126863b30 cmd.exe           14896   6856 0x00000001118f8000 2013-10-30 13:19:43 UTC+0000   2013-10-30 13:19:44 UTC+0000
0x0000000126863b30 cmd.exe           14896   6856 0x00000001118f8000 2013-10-30 13:19:43 UTC+0000   2013-10-30 13:19:44 UTC+0000
0x00000001268e2b30 csrss.exe           316    308 0x000000009232e000 2013-10-11 13:04:05 UTC+0000
0x0000000126b0c060 cmd.exe            7028   3076 0x000000001d303000 2013-10-17 05:23:31 UTC+0000   2013-10-17 05:23:32 UTC+0000
0x0000000126b2c270 cmd.exe            1264   6856 0x0000000030c84000 2013-10-23 05:33:21 UTC+0000   2013-10-23 05:33:31 UTC+0000
0x0000000126b42b30 smss.exe            244      4 0x000000009bd71000 2013-10-11 13:04:03 UTC+0000
0x0000000126c8f560 cmd.exe            1868   6856 0x000000002a485000 2013-10-28 19:38:43 UTC+0000   2013-10-28 19:38:43 UTC+0000
0x0000000126cc9b30 cmd.exe           10564   6856 0x0000000032d91000 2013-10-27 11:08:43 UTC+0000   2013-10-27 11:08:44 UTC+0000
0x0000000126d26b30 cmd.exe           13504   6856 0x000000001f6d6000 2013-10-25 16:27:43 UTC+0000   2013-10-25 16:27:44 UTC+0000
0x0000000126d3b060 cmd.exe           14936   6856 0x0000000080044000 2013-10-28 13:32:44 UTC+0000   2013-10-28 13:32:46 UTC+0000
0x0000000126d536e0 cmd.exe           11840   6856 0x000000004cb6b000 2013-10-29 09:52:43 UTC+0000   2013-10-29 09:52:43 UTC+0000
0x0000000126daab30 cmd.exe            8848   3076 0x00000000358fa000 2013-10-17 18:36:31 UTC+0000   2013-10-17 18:36:32 UTC+0000
0x0000000126dbc1a0 cmd.exe           12532   6856 0x0000000119ea8000 2013-10-25 03:15:34 UTC+0000   2013-10-25 03:15:35 UTC+0000
0x0000000126dc9a10 cmd.exe            7412   3076 0x0000000013b2b000 2013-10-17 19:37:31 UTC+0000   2013-10-17 19:37:34 UTC+0000
0x0000000126dcf2c0 cmd.exe           15536   6856 0x000000009414c000 2013-10-30 01:07:43 UTC+0000   2013-10-30 01:07:44 UTC+0000
0x0000000126ddf8a0 cmd.exe           11804   6856 0x000000007a703000 2013-10-25 23:34:43 UTC+0000   2013-10-25 23:34:43 UTC+0000
0x0000000126e07b30 cmd.exe            5332   6856 0x000000007877f000 2013-10-28 17:36:43 UTC+0000   2013-10-28 17:36:44 UTC+0000
0x0000000126e167e0 cmd.exe            6188   3076 0x0000000024475000 2013-10-17 08:27:32 UTC+0000   2013-10-17 08:27:33 UTC+0000
0x0000000126e578d0 cmd.exe            3032   6856 0x000000002e98a000 2013-10-26 03:38:43 UTC+0000   2013-10-26 03:38:43 UTC+0000
0x0000000126e5bb30 cmd.exe            5812   3076 0x000000008320d000 2013-10-19 19:23:31 UTC+0000   2013-10-19 19:23:33 UTC+0000
0x0000000126e7cb30 cmd.exe            4084   6856 0x00000000b0f6b000 2013-10-28 15:34:43 UTC+0000   2013-10-28 15:34:44 UTC+0000
0x0000000126e82660 cmd.exe           14008   6856 0x000000000dc1e000 2013-10-30 07:13:43 UTC+0000   2013-10-30 07:13:44 UTC+0000
0x0000000126f16b30 chrome.exe         2412  12964 0x00000000568b4000 2013-10-28 17:41:20 UTC+0000   2013-10-31 14:20:39 UTC+0000
0x0000000126f18060 chrome.exe         9240   9048 0x00000000cc06b000 2013-10-31 14:29:06 UTC+0000
0x0000000126f5d410 cmd.exe            6508   6856 0x0000000070748000 2013-10-30 21:27:43 UTC+0000   2013-10-30 21:27:44 UTC+0000
0x0000000126f76130 WmiPrvSE.exe       3348    632 0x00000000446ab000 2013-10-11 13:05:09 UTC+0000
0x0000000126fe0b30 conhost.exe       14928    412 0x000000009fd5f000 2013-10-31 14:38:03 UTC+0000
0x00000001270bb230 cmd.exe           11248   6856 0x0000000052906000 2013-10-26 02:37:43 UTC+0000   2013-10-26 02:37:44 UTC+0000
0x00000001270c5470 cmd.exe           10708   6856 0x0000000070290000 2013-10-22 17:21:20 UTC+0000   2013-10-22 17:21:21 UTC+0000
0x00000001270d3060 schtasks.exe      10376   3076 0x000000006bf53000 2013-10-20 06:35:38 UTC+0000
0x0000000127118b30 cmd.exe            8912   3076 0x00000001042e0000 2013-10-18 14:57:32 UTC+0000   2013-10-18 14:57:32 UTC+0000
0x0000000127138150 cmd.exe            8968   3076 0x000000009e6c9000 2013-10-18 05:48:32 UTC+0000   2013-10-18 05:48:32 UTC+0000
0x0000000127197b30 cmd.exe            4512   6856 0x000000009fbbc000 2013-10-28 09:28:43 UTC+0000   2013-10-28 09:28:44 UTC+0000
0x00000001271b3060 cmd.exe            6720   3076 0x0000000045a6b000 2013-10-16 22:16:32 UTC+0000   2013-10-16 22:16:33 UTC+0000
0x00000001271cc590 h?l????x?l????    150      0 0x0000003200000000
0x00000001271d1890 cmd.exe            8512   6856 0x000000004cb0e000 2013-10-24 14:03:21 UTC+0000   2013-10-24 14:03:22 UTC+0000
0x00000001271d98c0 conhost.exe       10396    412 0x0000000092b21000 2013-10-20 06:35:38 UTC+0000
0x00000001271f2320 cmd.exe           10680   3076 0x0000000008439000 2013-10-21 02:54:32 UTC+0000   2013-10-21 02:54:32 UTC+0000
0x00000001271fa400 cmd.exe           12008   6856 0x00000000530f2000 2013-10-27 04:01:43 UTC+0000   2013-10-27 04:01:44 UTC+0000
0x0000000127220b30 cmd.exe            1888   3076 0x0000000102da1000 2013-10-19 05:10:32 UTC+0000   2013-10-19 05:10:32 UTC+0000
0x000000012722c1c0 cmd.exe            8920   3076 0x0000000108523000 2013-10-18 01:44:32 UTC+0000   2013-10-18 01:44:33 UTC+0000
0x0000000127259ae0 cmd.exe           12560   6856 0x000000002223b000 2013-10-25 10:22:34 UTC+0000   2013-10-25 10:22:34 UTC+0000
0x0000000127269120 sfc.exe            1300    448 0x000000007296d000 2013-10-31 14:26:25 UTC+0000
0x000000012728d260 cmd.exe           14332   6856 0x0000000023150000 2013-10-28 10:29:43 UTC+0000   2013-10-28 10:29:44 UTC+0000
0x000000012729f060 chrome.exe         4584   9048 0x000000003ff65000 2013-10-31 14:29:11 UTC+0000
0x00000001272efb30 cmd.exe           13240   6856 0x0000000034b46000 2013-10-23 00:28:20 UTC+0000   2013-10-23 00:28:21 UTC+0000
0x00000001273662e0 cmd.exe            7840   3076 0x000000004d965000 2013-10-18 11:53:31 UTC+0000   2013-10-18 11:53:32 UTC+0000
0x00000001273b2b30 cmd.exe            6952   3076 0x00000000846b6000 2013-10-17 11:29:31 UTC+0000   2013-10-17 11:29:33 UTC+0000
0x00000001273c19d0 iexplore.exe      11636   3076 0x0000000110118000 2013-10-29 18:08:23 UTC+0000   2013-10-31 14:22:19 UTC+0000
0x00000001273ccb30 swi_service.ex     2000    448 0x000000011ec4a000 2013-10-21 15:12:03 UTC+0000
0x00000001273d9830 cmd.exe            7820   3076 0x0000000047ec7000 2013-10-17 16:34:31 UTC+0000   2013-10-17 16:34:32 UTC+0000
0x00000001274048d0 cmd.exe            8732   6856 0x0000000033083000 2013-10-29 21:03:43 UTC+0000   2013-10-29 21:03:44 UTC+0000
0x0000000127409460 cmd.exe           12584   6856 0x000000010a5b5000 2013-10-27 14:11:43 UTC+0000   2013-10-27 14:11:44 UTC+0000
0x0000000127470b30 cmd.exe            7308   3076 0x00000000ba064000 2013-10-18 16:57:32 UTC+0000   2013-10-18 16:57:33 UTC+0000
0x00000001274a7060 cmd.exe            9752   3076 0x00000000bf168000 2013-10-20 03:31:31 UTC+0000   2013-10-20 03:31:31 UTC+0000
0x00000001274b16a0 cmd.exe            7644   3076 0x000000000a041000 2013-10-17 17:35:31 UTC+0000   2013-10-17 17:35:32 UTC+0000
0x00000001274c9720 SearchFilterHo    15232   3972 0x0000000001b54000 2013-10-31 14:21:02 UTC+0000   2013-10-31 14:23:16 UTC+0000
0x00000001274e13f0 conhost.exe       10736    412 0x00000001118ca000 2013-10-23 05:33:28 UTC+0000
0x00000001276954d0 conhost.exe       13612    412 0x00000000c9ac7000 2013-10-31 14:36:43 UTC+0000
0x00000001276a79e0 cmd.exe            6352   6856 0x000000004d728000 2013-10-27 18:15:44 UTC+0000   2013-10-27 18:15:48 UTC+0000
0x00000001276ab270 iptray.exe         5348  11240 0x00000000b905e000 2013-10-31 14:28:24 UTC+0000
0x00000001276d9530 cmd.exe            4768   3076 0x000000004d39b000 2013-10-17 03:21:31 UTC+0000   2013-10-17 03:21:33 UTC+0000
0x00000001276e9b30 cmd.exe           14836   6856 0x0000000106c8b000 2013-10-30 08:14:43 UTC+0000   2013-10-30 08:14:43 UTC+0000
0x000000012774b420 cmd.exe            8852   6856 0x000000004bc6c000 2013-10-27 20:17:43 UTC+0000   2013-10-27 20:17:43 UTC+0000
0x000000012777a890 cmd.exe            6280   3076 0x000000005ec6b000 2013-10-17 13:31:31 UTC+0000   2013-10-17 13:31:33 UTC+0000
0x0000000127800b30 lmi_rescue.exe     9116   9788 0x00000000b2e65000 2013-10-31 14:29:43 UTC+0000
0x00000001278259a0 rundll32.exe       3064   3580 0x00000000c5cc2000 2013-10-31 14:36:43 UTC+0000   2013-10-31 14:36:43 UTC+0000
0x0000000127853500 cmd.exe            1908   6856 0x0000000046236000 2013-10-30 02:08:44 UTC+0000   2013-10-30 02:08:44 UTC+0000
0x000000012794ab30 cmd.exe            7452   6856 0x00000000b7b2b000 2013-10-28 04:25:43 UTC+0000   2013-10-28 04:25:44 UTC+0000
0x0000000127996060 cmd.exe             212   6856 0x00000000170a8000 2013-10-27 01:59:43 UTC+0000   2013-10-27 01:59:44 UTC+0000
0x00000001279b38d0 chrome.exe         9048   3580 0x0000000091e8c000 2013-10-31 14:29:05 UTC+0000
0x00000001279bf060 chrome.exe         9176   9048 0x0000000075954000 2013-10-31 14:29:06 UTC+0000
0x00000001279bfb30 cmd.exe            8676   6856 0x000000003cd49000 2013-10-30 10:16:43 UTC+0000   2013-10-30 10:16:45 UTC+0000
0x00000001279d8630 cmd.exe            5188   3076 0x000000003ebeb000 2013-10-19 03:07:31 UTC+0000   2013-10-19 03:07:33 UTC+0000
0x00000001279e7700 WmiPrvSE.exe      10536    632 0x0000000107ff9000 2013-10-31 14:19:36 UTC+0000   2013-10-31 14:23:42 UTC+0000
0x0000000127a6b060 audiodg.exe        9500    840 0x000000006865e000 2013-10-18 18:56:04 UTC+0000
0x0000000127a802d0 taskhost.exe       6956    448 0x000000005797d000 2013-10-17 07:41:21 UTC+0000
0x0000000127aa29e0 cmd.exe           16236   6856 0x0000000084712000 2013-10-30 05:11:43 UTC+0000   2013-10-30 05:11:45 UTC+0000
0x0000000127b1e210 winpmem_1.4.ex     5820  11584 0x0000000052dd2000 2013-10-31 14:38:22 UTC+0000
0x0000000127b3ab30 cmd.exe            1552   3076 0x00000000bee94000 2013-10-18 00:42:31 UTC+0000   2013-10-18 00:42:32 UTC+0000
0x0000000127b5db30 cmd.exe            2548   3076 0x0000000038853000 2013-10-18 09:52:32 UTC+0000   2013-10-18 09:52:33 UTC+0000
0x0000000127b88060 chrome.exe        14132  12964 0x0000000064c1e000 2013-10-25 20:27:03 UTC+0000   2013-10-31 14:21:29 UTC+0000
0x0000000127ba9290 OSPPSVC.EXE        3476    448 0x0000000104d39000 2013-10-11 13:09:13 UTC+0000
0x0000000127bfeb30 cmd.exe            9760   6856 0x000000004886b000 2013-10-27 08:05:43 UTC+0000   2013-10-27 08:05:44 UTC+0000
0x0000000127c3bb30 cmd.exe            8636   3076 0x00000000971b7000 2013-10-17 19:38:32 UTC+0000   2013-10-17 19:38:32 UTC+0000
0x0000000127c5b680 cmd.exe           13456   6856 0x000000003229a000 2013-10-26 16:50:43 UTC+0000   2013-10-26 16:50:44 UTC+0000
0x0000000127c6e3c0 WerFault.exe      16076  14920 0x00000000c10c1000 2013-10-31 14:21:42 UTC+0000   2013-10-31 14:21:47 UTC+0000
0x0000000127cb4060 cmd.exe            9300   3076 0x0000000061768000 2013-10-18 22:03:32 UTC+0000   2013-10-18 22:03:33 UTC+0000
0x0000000127cc5b30 WmiPrvSE.exe      16024    632 0x0000000045fb9000 2013-10-31 14:35:22 UTC+0000
0x0000000127ccfb30 cmd.exe            4720   6856 0x00000000be1df000 2013-10-28 16:35:44 UTC+0000   2013-10-28 16:35:45 UTC+0000
0x0000000127cf3760 cmd.exe           10760   6856 0x00000000335c6000 2013-10-26 12:47:43 UTC+0000   2013-10-26 12:47:44 UTC+0000
0x0000000127d125a0 cmd.exe            4112   6856 0x0000000073804000 2013-10-28 00:21:43 UTC+0000   2013-10-28 00:21:44 UTC+0000
0x0000000127d30b30 cmd.exe            5324   3076 0x0000000030218000 2013-10-19 03:08:32 UTC+0000   2013-10-19 03:08:32 UTC+0000
0x0000000127d3cb30 cmd.exe           12032   3064 0x000000006272b000 2013-10-31 14:36:43 UTC+0000
0x0000000127d52920 explorer.exe       3580   3560 0x000000011a2c1000 2013-10-11 13:06:42 UTC+0000
0x0000000127d75b30 cmd.exe            8596   3076 0x00000000b723b000 2013-10-18 10:53:32 UTC+0000   2013-10-18 10:53:32 UTC+0000
0x0000000127dbb060 taskhost.exe        732    448 0x0000000115dc9000 2013-10-11 13:06:43 UTC+0000
0x0000000127df6b30 jusched.exe        4044   3476 0x000000010f89b000 2013-10-11 13:06:45 UTC+0000
0x0000000127e6a7b0 ALMon.exe          2652   3476 0x0000000018af6000 2013-10-11 13:06:46 UTC+0000
0x0000000127e90060 cmd.exe           14456   6856 0x0000000078660000 2013-10-29 15:58:43 UTC+0000   2013-10-29 15:58:45 UTC+0000
0x0000000127f65040 System                4      0 0x0000000000187000 2013-10-11 13:04:03 UTC+0000
0x0000000127fe7b30 cmd.exe             908   3076 0x00000000cef07000 2013-10-19 01:06:32 UTC+0000   2013-10-19 01:06:32 UTC+0000
0x0000000127ffd060 cmd.exe            4972   6856 0x000000007b39b000 2013-10-30 12:18:43 UTC+0000   2013-10-30 12:18:44 UTC+0000
0x00000001280375f0 dwm.exe            1956    916 0x0000000025669000 2013-10-11 13:06:42 UTC+0000
0x0000000128059b30 cmd.exe           11092   3076 0x00000000c5fcc000 2013-10-20 16:45:32 UTC+0000   2013-10-20 16:45:33 UTC+0000
0x00000001280b8060 cmd.exe            8704   3076 0x00000000936e8000 2013-10-20 18:46:31 UTC+0000   2013-10-20 18:46:32 UTC+0000
0x00000001280b8710 cmd.exe            9164   3076 0x0000000124e15000 2013-10-20 21:50:32 UTC+0000   2013-10-20 21:50:32 UTC+0000


More information about the Vol-users mailing list