# Specific Memory Process Analysis
Now that we have identified a couple of processes to futher examine we will use the next set of plugins to analyze the process further and either determine if the process is malicious or generate futher indicators of compromise if we have already determined it is malicious

## handles
Handles are open kernel objects, common handles are the following:
* File
* Mutex
* Process 
* Registry key
* Thread

Before processes can interact with objects they need to open a handle by using Windows APIs. We have seen these API's before when reviewing unknown binaries. Common API calls to open handles are the following:
* CreateFile
* CreateMutex
* RegOpenKeyEx

When you call these API keys they retrun a file type called a HANDLE, which is an index to a process handle table. The handle count for the process is also incremented when the API call is made. API calls then can use the HANDLE value to pass to other API calls such as write, read and delete. When the function calls only refer to the HANDLE index it also helps with security through obscurity because it is just an index not the specific HANDLE name. 

Kernel modules and threads can also have open HANDLES, which are assigned to PID 4 process table. Some kernel API's to open handles are the following:

* NtCreateFile
* NtReadFile
* NtCreateMutex

To enumerate the handles table in volatilty we will use the handles plugin as shown below:


In [1]:
python ../volatility3/vol.py -q -f E:\APT.img windows.handles.Handles

Volatility 3 Framework 1.2.1

PID	Process	Offset	HandleValue	Type	GrantedAccess	Name

4	System	0x823c8830	0x4	Process	0x1f0fff	System Pid 4
4	System	0x823c7020	0x8	Thread	0x0	Tid 12 Pid 4
4	System	0xe1035468	0xc	Key	0xf003f	MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER\MEMORY MANAGEMENT\PREFETCHPARAMETERS
4	System	0xe1011490	0x10	Key	0x0	
4	System	0xe13af200	0x14	Key	0x2001f	MACHINE\SYSTEM\SETUP
4	System	0xe13ae198	0x18	Key	0x20019	MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MULTIFUNCTIONADAPTER
4	System	0xe101e438	0x1c	Key	0x20019	MACHINE\SYSTEM\WPA\MEDIACENTER
4	System	0xe13b0430	0x20	Key	0x20019	MACHINE\SYSTEM\WPA\KEY-4F3B2RFXKC9C637882MBM
4	System	0xe13b7430	0x24	Key	0x20019	MACHINE\SYSTEM\WPA\PNP
4	System	0xe13b8430	0x28	Key	0x20019	MACHINE\SYSTEM\WPA\SIGNINGHASH-V44KQMCFXKQCTQ
4	System	0xe13a6708	0x2c	Key	0x2001f	MACHINE\SYSTEM\CONTROLSET001\CONTROL\PRODUCTOPTIONS
4	System	0xe13ae290	0x30	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG
4	System	0x823c1790	0x34	Event	0x1

4	System	0x81dcf558	0x658	File	0x12019f	\Device\Tcp
4	System	0x822e76a0	0x65c	File	0x12019f	\Device\Tcp
4	System	0x8232b748	0x660	File	0x12019f	\Device\Tcp
4	System	0x81f1ada8	0x664	File	0x12019f	\Device\Tcp
4	System	0x821888e0	0x668	File	0x12019f	\Device\Tcp
4	System	0x81def940	0x66c	File	0x12019f	\Device\Tcp
4	System	0x81e51b18	0x670	File	0x12019f	\Device\Tcp
4	System	0x81e53f40	0x674	File	0x12019f	\Device\Tcp
4	System	0x81fb5b58	0x678	File	0x12019f	\Device\Tcp
4	System	0x81e3e818	0x67c	File	0x12019f	\Device\Tcp
4	System	0x81e51f40	0x680	File	0x12019f	\Device\Tcp
4	System	0x81e54348	0x684	File	0x12019f	\Device\Tcp
4	System	0x81e516f0	0x688	File	0x12019f	\Device\Tcp
4	System	0x81eacaa0	0x68c	File	0x12019f	\Device\Tcp
4	System	0x81e8c460	0x690	File	0x12019f	\Device\Tcp
4	System	0x81f61370	0x694	File	0x12019f	\Device\Tcp
4	System	0x81eabdb0	0x698	File	0x12019f	\Device\Tcp
4	System	0x81ebb760	0x69c	File	0x12019f	\Device\Tcp
4	System	0x82161cb0	0x6a0	File	0x12019f	\Device\Tcp
4	System	0x8

564	smss.exe	0x82331368	0x1c	File	0x100001	\Device\HarddiskVolume1\WINDOWS\system32
564	smss.exe	0xe173aed0	0x20	SymbolicLink	0xf0001	KnownDllPath
564	smss.exe	0xe15a9e98	0x24	Directory	0xf000f	KnownDlls
564	smss.exe	0x81f61998	0x28	Event	0x1f0003	
564	smss.exe	0x82190680	0x2c	Event	0x1f0003	UniqueSessionIdEvent
564	smss.exe	0x822ca2c0	0x30	Process	0x1f0fff	smss.exe Pid 636
564	smss.exe	0x822ca2c0	0x34	Process	0x400	smss.exe Pid 636
564	smss.exe	0xe174ce00	0x38	Port	0x1f0001	
564	smss.exe	0xe1746820	0x3c	Port	0x1f0001	
564	smss.exe	0xe17448a0	0x40	Port	0x1f0001	
564	smss.exe	0xe1d37740	0x44	Port	0x1f0001	
564	smss.exe	0x81f63020	0x48	Process	0x1f0fff	smss.exe Pid 660
564	smss.exe	0x81e54da0	0x4c	Process	0x400	smss.exe Pid 884
636	csrss.exe	0xe10096e0	0x4	KeyedEvent	0xf0003	CritSecOutOfMemoryEvent
636	csrss.exe	0xe15a9e98	0x8	Directory	0x3	KnownDlls
636	csrss.exe	0x8230f638	0xc	File	0x100020	\Device\HarddiskVolume1\WINDOWS\system32
636	csrss.exe	0xe15d8eb8	0x10	Directory	0xf000f	BNOLINK

636	csrss.exe	0xe18c0238	0x20c	Port	0x1f0001	
636	csrss.exe	0x81e57da8	0x210	Thread	0x1f03ff	Tid 1100 Pid 1088
636	csrss.exe	0x81db6da8	0x214	Thread	0x1f03ff	Tid 1096 Pid 1088
636	csrss.exe	0x822c8460	0x218	Thread	0x1f03ff	Tid 1104 Pid 1088
636	csrss.exe	0x81df0b30	0x21c	Thread	0x1f03ff	Tid 1112 Pid 1088
636	csrss.exe	0x82149da8	0x220	Thread	0x1f03ff	Tid 1136 Pid 1088
636	csrss.exe	0xe1a36470	0x224	Port	0x1f0001	
636	csrss.exe	0x8232c020	0x228	Process	0x1f0fff	csrss.exe Pid 1140
636	csrss.exe	0x81f9fb28	0x22c	Thread	0x1f03ff	Tid 1144 Pid 1140
636	csrss.exe	0x81df5da8	0x230	Thread	0x1f03ff	Tid 1152 Pid 704
636	csrss.exe	0x81db1da8	0x234	Thread	0x1f03ff	Tid 1156 Pid 704
636	csrss.exe	0x822e65f0	0x238	Thread	0x1f03ff	Tid 376 Pid 1088
636	csrss.exe	0x81f2f988	0x240	Thread	0x1f03ff	Tid 388 Pid 1088
636	csrss.exe	0x81f78780	0x244	Event	0x1f0003	
636	csrss.exe	0x81e755b8	0x248	Thread	0x1f03ff	Tid 1716 Pid 840
636	csrss.exe	0x81f5e1f8	0x24c	Thread	0x1f03ff	Tid 1204 Pid 1088
636	csrss.exe	0x81e

636	csrss.exe	0x822c2680	0x460	Thread	0x1f03ff	Tid 1572 Pid 1032
636	csrss.exe	0x822f59a8	0x468	Thread	0x1f03ff	Tid 1568 Pid 1088
636	csrss.exe	0x81dc2570	0x46c	Process	0x1f0fff	csrss.exe Pid 1032
636	csrss.exe	0x81dc22f8	0x470	Thread	0x1f03ff	Tid 1036 Pid 1032
636	csrss.exe	0xe1b9cd28	0x474	Port	0x1f0001	
636	csrss.exe	0x82303da8	0x478	Thread	0x1f03ff	Tid 1056 Pid 1088
636	csrss.exe	0x81db4020	0x47c	Thread	0x1f03ff	Tid 1896 Pid 1088
636	csrss.exe	0x81e82d58	0x484	Thread	0x1f03ff	Tid 408 Pid 2004
636	csrss.exe	0x822f3da8	0x488	Thread	0x1f03ff	Tid 1148 Pid 968
636	csrss.exe	0x81e78230	0x48c	Thread	0x1f03ff	Tid 1160 Pid 704
636	csrss.exe	0x822f3560	0x494	Thread	0x1f03ff	Tid 1172 Pid 716
636	csrss.exe	0x82156640	0x498	Thread	0x1f03ff	Tid 1180 Pid 716
636	csrss.exe	0x81e48b30	0x49c	Thread	0x1f03ff	Tid 1184 Pid 716
636	csrss.exe	0x81df1020	0x4a0	Thread	0x1f03ff	Tid 1060 Pid 1212
636	csrss.exe	0x82181538	0x4a4	Thread	0x1f03ff	Tid 1288 Pid 1088
636	csrss.exe	0x81f153f8	0x4bc	Thread	0x1f03ff	T

660	winlogon.exe	0x81f94e98	0x78	Mutant	0x1f0001	
660	winlogon.exe	0x81f39c08	0x7c	Mutant	0x1f0001	
660	winlogon.exe	0x81dcdd48	0x80	Event	0x1f0003	
660	winlogon.exe	0x81f393b8	0x84	Mutant	0x1f0001	
660	winlogon.exe	0x81f18648	0x88	Event	0x1f0003	
660	winlogon.exe	0x82333330	0x8c	Event	0x1f0003	
660	winlogon.exe	0xe177eaf0	0x90	Key	0x20f003f	MACHINE\SOFTWARE\CLASSES
660	winlogon.exe	0x81f34308	0x94	Event	0x1f0003	WinlogonTSSynchronizeEvent
660	winlogon.exe	0x81dc33b8	0x98	File	0x12019f	\Device\NamedPipe\TerminalServer\AutoReconnect
660	winlogon.exe	0x81f34290	0x9c	Event	0x1f0003	TS-WPAAE
660	winlogon.exe	0x81eb4f50	0xa0	Event	0x1f0003	
660	winlogon.exe	0x81e6f258	0xa4	Event	0x1f0003	
660	winlogon.exe	0x8216d988	0xa8	WindowStation	0xf037f	WinSta0
660	winlogon.exe	0x81efd8e8	0xac	Desktop	0xf01ff	Winlogon
660	winlogon.exe	0x8216d988	0xb0	WindowStation	0xf037f	WinSta0
660	winlogon.exe	0x8219b038	0xb4	Desktop	0xf01ff	Disconnect
660	winlogon.exe	0x81eaccf8	0xb8	Desktop	0xf01ff	Default
660	wi

660	winlogon.exe	0x81fb5a70	0x244	File	0x160001	\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi
660	winlogon.exe	0x81e3e730	0x248	File	0x160001	\Device\HarddiskVolume1\WINDOWS
660	winlogon.exe	0x81e51e58	0x24c	File	0x160001	\Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\DAO
660	winlogon.exe	0x81e51608	0x250	File	0x160001	\Device\HarddiskVolume1\Program Files\Windows Media Player
660	winlogon.exe	0x81f021a0	0x254	File	0x160001	\Device\HarddiskVolume1\Program Files\Common Files\System\msadc
660	winlogon.exe	0x81e431a0	0x258	File	0x160001	\Device\HarddiskVolume1\Program Files\Common Files\System\ado
660	winlogon.exe	0x822c41a0	0x25c	File	0x160001	\Device\HarddiskVolume1\Program Files\Common Files\System\Ole DB
660	winlogon.exe	0x822c11a0	0x260	File	0x160001	\Device\HarddiskVolume1\WINDOWS\inf
660	winlogon.exe	0x81f091a0	0x264	File	0x160001	\Device\HarddiskVolume1\WINDOWS\system
660	winlogon.exe	0x822c61a0	0x268	File	0

660	winlogon.exe	0x81ed1f90	0x380	File	0x160001	\Device\HarddiskVolume1\WINDOWS\system32\mui\040e
660	winlogon.exe	0x81fb67e0	0x384	File	0x160001	\Device\HarddiskVolume1\WINDOWS\system32\mui\0410
660	winlogon.exe	0x821ab7c8	0x388	File	0x160001	\Device\HarddiskVolume1\WINDOWS\system32\mui\0411
660	winlogon.exe	0x8231b200	0x38c	File	0x160001	\Device\HarddiskVolume1\WINDOWS\system32\mui\0412
660	winlogon.exe	0x8231b6e0	0x390	File	0x160001	\Device\HarddiskVolume1\WINDOWS\system32\mui\0413
660	winlogon.exe	0x81e3db78	0x394	File	0x160001	\Device\HarddiskVolume1\WINDOWS\system32\mui\0414
660	winlogon.exe	0x81e3d548	0x398	File	0x160001	\Device\HarddiskVolume1\WINDOWS\system32\mui\0415
660	winlogon.exe	0x8231dc28	0x39c	File	0x160001	\Device\HarddiskVolume1\WINDOWS\system32\mui\0416
660	winlogon.exe	0x81ea6d58	0x3a0	File	0x160001	\Device\HarddiskVolume1\WINDOWS\system32\mui\0419
660	winlogon.exe	0x81fb76c0	0x3a4	File	0x160001	\Device\HarddiskVolume1\WINDOWS\system32\mui\041b
660	winlogon.exe	0x8

660	winlogon.exe	0x81f5eb80	0x5b0	Event	0x1f0003	
660	winlogon.exe	0x81f5eb50	0x5b4	Event	0x1f0003	
660	winlogon.exe	0x82302880	0x5b8	Event	0x1f0003	
660	winlogon.exe	0x82302850	0x5bc	Event	0x1f0003	
660	winlogon.exe	0x821be5a0	0x5c0	Event	0x1f0003	
660	winlogon.exe	0x821be570	0x5c4	Event	0x1f0003	
660	winlogon.exe	0x81e549d0	0x5c8	Event	0x1f0003	
660	winlogon.exe	0x81e549a0	0x5cc	Event	0x1f0003	
660	winlogon.exe	0x81e54970	0x5d0	Event	0x1f0003	
660	winlogon.exe	0x81db5ac8	0x5d4	Event	0x1f0003	
660	winlogon.exe	0x822cec20	0x5d8	Thread	0x1f03ff	Tid 948 Pid 660
660	winlogon.exe	0x822f0128	0x5dc	File	0x12019f	\Device\NamedPipe\SfcApi
660	winlogon.exe	0x81db5528	0x5e0	File	0x12019f	\Device\NamedPipe\SfcApi
660	winlogon.exe	0x82197020	0x5e4	Thread	0x1f03ff	Tid 952 Pid 660
660	winlogon.exe	0x81df5020	0x5e8	Thread	0x1f03ff	Tid 956 Pid 660
660	winlogon.exe	0xe18972e0	0x5ec	Port	0x1f0001	
660	winlogon.exe	0x81f8eb58	0x5f0	Event	0x1f0003	
660	winlogon.exe	0x82197738	0x5f4	Timer	0x1f0003	userenv:

660	winlogon.exe	0x822c4840	0x834	Event	0x1f0003	
660	winlogon.exe	0x81d31460	0x838	Thread	0x1f03ff	Tid 1764 Pid 660
660	winlogon.exe	0x81e5a0e8	0x83c	File	0x120116	\Device\Tcp
660	winlogon.exe	0x81dcaef0	0x840	Event	0x1f0003	userenv: machine policy refresh event
660	winlogon.exe	0x822f73b8	0x844	Event	0x1f0003	
660	winlogon.exe	0x81f17190	0x84c	Event	0x100000	WlballoonLogoffNotificationEventName
660	winlogon.exe	0x81db73f0	0x854	Event	0x1f0003	000000000000bb81_WlballoonKerberosNotificationEventName
660	winlogon.exe	0x81f1e5c8	0x85c	Event	0x1f0003	
660	winlogon.exe	0x82167150	0x890	Event	0x1f0003	userenv: machine policy force refresh event
660	winlogon.exe	0x81f78820	0x894	Event	0x1f0003	userenv: User Group Policy has been applied
660	winlogon.exe	0x8231e798	0x89c	Event	0x1f0003	
660	winlogon.exe	0x82316e58	0x8a4	Event	0x1f0003	userenv: User Group Policy Processing is done
660	winlogon.exe	0x8232f7e0	0x8a8	File	0x100020	\Device\HarddiskVolume1\WINDOWS\system32
660	winlogon.exe	0xe1cf37

704	services.exe	0x822ee688	0x1cc	Event	0x1f0003	ScNetDrvMsg
704	services.exe	0x81e4a260	0x1d0	Event	0x1f0003	
704	services.exe	0xe1574e70	0x1d4	Port	0x1f0001	ntsvcs
704	services.exe	0x82196700	0x1d8	Event	0x1f0003	
704	services.exe	0x81f6ea18	0x1e4	File	0x12019f	\Device\NamedPipe\ntsvcs
704	services.exe	0x822ca660	0x1e8	File	0x12019f	\Device\NamedPipe\ntsvcs
704	services.exe	0x81f06ed8	0x1ec	Event	0x1f0003	
704	services.exe	0x81e506f0	0x1f0	Thread	0x1f03ff	Tid 852 Pid 704
704	services.exe	0xe18361b0	0x1f4	Port	0x1f0001	
704	services.exe	0x81f36da8	0x1f8	Thread	0x1f03ff	Tid 940 Pid 704
704	services.exe	0x81e80908	0x200	File	0x1a019f	\Device\NamedPipe\net\NtControlPipe13
704	services.exe	0x81f06a70	0x204	Event	0x100003	
704	services.exe	0x8219e398	0x208	File	0x12019f	\Device\NamedPipe\scerpc
704	services.exe	0x82158d18	0x20c	File	0x100001	\Device\KsecDD
704	services.exe	0x81e50a88	0x210	File	0x12019f	\Device\NamedPipe\scerpc
704	services.exe	0x822c3e98	0x214	Event	0x1f0003	
704	services

704	services.exe	0x81f60590	0x44c	Event	0x1f0003	
704	services.exe	0xe1b62e48	0x454	Port	0x1f0001	
704	services.exe	0xe1d9a3a0	0x45c	Key	0xf003f	USER\S-1-5-19
704	services.exe	0xe1ea7da8	0x460	Token	0xf01ff	
704	services.exe	0x81e98ad0	0x468	File	0x1a019f	\Device\NamedPipe\net\NtControlPipe12
704	services.exe	0x81d33628	0x46c	Process	0x1f0fff	services.exe Pid 464
704	services.exe	0xe1d131b0	0x470	Port	0x1f0001	
716	lsass.exe	0xe10096e0	0x4	KeyedEvent	0xf0003	CritSecOutOfMemoryEvent
716	lsass.exe	0xe15a9e98	0x8	Directory	0x3	KnownDlls
716	lsass.exe	0x81eb7188	0xc	File	0x100020	\Device\HarddiskVolume1\WINDOWS\system32
716	lsass.exe	0x81df0050	0x10	Semaphore	0x100003	
716	lsass.exe	0xe172a940	0x14	Directory	0xf000f	Windows
716	lsass.exe	0xe1785a90	0x18	Port	0x21f0001	
716	lsass.exe	0x822ff548	0x1c	Semaphore	0x100003	
716	lsass.exe	0xe1741030	0x20	Directory	0x2000f	BaseNamedObjects
716	lsass.exe	0x822f2108	0x24	Mutant	0x1f0001	SHIMLIB_LOG_MUTEX
716	lsass.exe	0xe17a9c60	0x28	Key	0x20f003f	M

716	lsass.exe	0x81f9f798	0x208	WmiGuid	0xa84	
716	lsass.exe	0xe1831858	0x20c	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\CONTROL\LSA\MSV1_0
716	lsass.exe	0x81e9b500	0x210	Semaphore	0x100003	
716	lsass.exe	0x8232cba8	0x214	Semaphore	0x100003	
716	lsass.exe	0x8232cb70	0x218	Semaphore	0x100003	
716	lsass.exe	0x81e62ed0	0x21c	Semaphore	0x100003	
716	lsass.exe	0x81e62e98	0x220	Semaphore	0x100003	
716	lsass.exe	0x81f213f0	0x224	Semaphore	0x100003	
716	lsass.exe	0x81f213b8	0x228	Semaphore	0x100003	
716	lsass.exe	0x81dc5680	0x22c	Semaphore	0x100003	
716	lsass.exe	0xe17d0610	0x230	Key	0x2001f	MACHINE\SECURITY\POLICY
716	lsass.exe	0x822de910	0x234	Semaphore	0x100003	
716	lsass.exe	0xe17905a8	0x238	Token	0x600fe	
716	lsass.exe	0x822de8d8	0x23c	Semaphore	0x100003	
716	lsass.exe	0x81e00ba8	0x240	Event	0x1f0003	
716	lsass.exe	0x81f2e5a8	0x244	File	0x120196	\Device\HarddiskVolume1\WINDOWS\Debug\PASSWD.LOG
716	lsass.exe	0x8216c7d8	0x248	Semaphore	0x100003	
716	lsass.exe	0x8216c3f0	0x24c	Semaphore	0x10000

716	lsass.exe	0xe1b632b0	0x4c0	Port	0x1f0001	
716	lsass.exe	0xe1b7d518	0x4c4	Port	0x1f0001	
716	lsass.exe	0x81e91da0	0x4c8	Process	0x478	lsass.exe Pid 1212
716	lsass.exe	0x822d5c88	0x4cc	Event	0x1f0003	
716	lsass.exe	0x81e939e8	0x4d0	Thread	0x1f03ff	Tid 748 Pid 716
716	lsass.exe	0x81e68298	0x4d8	WmiGuid	0xa84	
716	lsass.exe	0x81dc0ef8	0x4e0	File	0x12019f	\Device\IPSEC
716	lsass.exe	0x81e4f510	0x4e8	Event	0x1f0003	
716	lsass.exe	0x81e60988	0x4ec	Thread	0x1f03ff	Tid 128 Pid 716
716	lsass.exe	0x8231ed60	0x4f0	Event	0x1f0003	IPSEC_POLICY_CHANGE_EVENT
716	lsass.exe	0x81e64550	0x4f4	Event	0x1f0003	
716	lsass.exe	0x81e606e0	0x4f8	Event	0x1f0003	
716	lsass.exe	0x8231ed20	0x4fc	Event	0x1f0003	IPSEC_POLICY_CHANGE_NOTIFY
716	lsass.exe	0x8231ece0	0x500	Event	0x1f0003	
716	lsass.exe	0x8231ecb0	0x504	Event	0x1f0003	IPSEC_GP_REFRESH_EVENT
716	lsass.exe	0x81e60988	0x508	Thread	0x1f03ff	Tid 128 Pid 716
716	lsass.exe	0x822f3350	0x50c	Event	0x1f0003	
716	lsass.exe	0x81fb6f18	0x510	Event	0x1f0003	
716	lsa

884	svchost.exe	0x81e63820	0xb8	Event	0x1f0003	
884	svchost.exe	0x8231bc08	0xbc	File	0x12019f	\Device\NamedPipe\net\NtControlPipe2
884	svchost.exe	0xe17df2d0	0xc0	Port	0x1f0001	
884	svchost.exe	0x81dcaf58	0xc4	Event	0x1f0003	
884	svchost.exe	0x81e553b0	0xc8	Event	0x1f0003	
884	svchost.exe	0x81e54da0	0xcc	Process	0x1f0fff	svchost.exe Pid 884
884	svchost.exe	0x81e553e0	0xd0	Event	0x1f0003	
884	svchost.exe	0x822da1a8	0xd4	Event	0x1f0003	
884	svchost.exe	0x81fb3d58	0xd8	IoCompletion	0x1f0003	
884	svchost.exe	0x81fb3f70	0xdc	IoCompletion	0x1f0003	
884	svchost.exe	0x81fb3d58	0xe0	IoCompletion	0x1f0003	
884	svchost.exe	0xe17fbeb0	0xe4	Key	0x20f003f	MACHINE\SOFTWARE\CLASSES
884	svchost.exe	0xe150c6e0	0xe8	Key	0x20019	MACHINE\SOFTWARE\CLASSES\CLSID
884	svchost.exe	0xe17e2d28	0xec	Key	0x20019	MACHINE\SOFTWARE\CLASSES\APPID
884	svchost.exe	0x822da178	0xf0	Event	0x1f0003	
884	svchost.exe	0x822e6540	0xf4	Event	0x1f0003	
884	svchost.exe	0x81ebdb18	0xf8	Event	0x1f0003	
884	svchost.exe	0x81ebdae8	0xfc

884	svchost.exe	0x82165ff0	0x2d8	Event	0x1f0003	
884	svchost.exe	0x81e085d8	0x2dc	Thread	0x1f03ff	Tid 1920 Pid 884
884	svchost.exe	0x81d307e8	0x2e0	Event	0x1f0003	
884	svchost.exe	0x81da8160	0x2e4	Event	0x100000	userenv: Machine Group Policy has been applied
884	svchost.exe	0x81d2eb30	0x2e8	Thread	0x1f03ff	Tid 192 Pid 884
884	svchost.exe	0xe1b9cee8	0x2ec	Key	0x20019	MACHINE\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\TERMINAL SERVICES
884	svchost.exe	0xe1b9ce80	0x2f0	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER
884	svchost.exe	0xe1d13490	0x2f4	Key	0x20019	MACHINE\SOFTWARE\POLICIES
884	svchost.exe	0x81f3bf20	0x2f8	Event	0x1f0003	
884	svchost.exe	0x82187bf8	0x2fc	Event	0x1f0003	
884	svchost.exe	0x81e08240	0x300	Event	0x1f0003	
884	svchost.exe	0xe1d3f640	0x304	Port	0x1f0001	
884	svchost.exe	0x81d2e8b8	0x308	Thread	0x1f03ff	Tid 200 Pid 884
884	svchost.exe	0xe1e0a350	0x30c	Port	0x1f0001	
884	svchost.exe	0xe15d1070	0x310	Port	0x1f0001	
884	svchost.exe	0x82071020	0x314	Thread	0

968	svchost.exe	0x8215d548	0x1a4	Event	0x1f0003	
968	svchost.exe	0xe18a7468	0x1a8	Port	0x1f0001	
968	svchost.exe	0xe17a29f0	0x1ac	Port	0x1f0001	
968	svchost.exe	0x81e4b830	0x1b0	Event	0x1f0003	
968	svchost.exe	0xe18a9778	0x1b4	Token	0xf01ff	
968	svchost.exe	0xe1a4ec20	0x1b8	Port	0x1f0001	
968	svchost.exe	0xe1bad9a0	0x1bc	Token	0xf01ff	
968	svchost.exe	0xe183cbb0	0x1c0	Key	0x20019	MACHINE\SOFTWARE\CLASSES
968	svchost.exe	0xe1ad9568	0x1c4	Key	0x20019	MACHINE\SOFTWARE\CLASSES
968	svchost.exe	0x822d5678	0x1c8	Event	0x1f0003	
968	svchost.exe	0xe1ba5550	0x1cc	Key	0x20019	MACHINE\SOFTWARE\MICROSOFT\COM3
968	svchost.exe	0x822d5648	0x1d0	Event	0x1f0003	
968	svchost.exe	0xe18c6cd0	0x1d4	Key	0x10	USER
968	svchost.exe	0x822d32f0	0x1d8	Event	0x1f0003	
968	svchost.exe	0xe19ba970	0x1dc	Key	0x20019	MACHINE\SOFTWARE\CLASSES
968	svchost.exe	0x822d32c0	0x1e0	Event	0x1f0003	
968	svchost.exe	0xe1a768e8	0x1e4	Key	0x10	USER
968	svchost.exe	0x82163580	0x1e8	Event	0x1f0003	
968	svchost.exe	0xe18414c0	0x1ec	Key

1088	svchost.exe	0x822fe1d0	0x4c	Event	0x1f0003	DINPUTWINMM
1088	svchost.exe	0x82339930	0x50	File	0x100001	\Device\KsecDD
1088	svchost.exe	0x81e4f3b8	0x54	Event	0x1f0003	
1088	svchost.exe	0x81e4f388	0x58	Event	0x1f0003	
1088	svchost.exe	0xe18a8230	0x5c	Key	0x20019	MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\DRIVERS32
1088	svchost.exe	0x81f5ae28	0x60	Semaphore	0x1f0003	shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
1088	svchost.exe	0x81fb2890	0x64	Event	0x1f0003	userenv:  User Profile setup event
1088	svchost.exe	0x81ed1d08	0x68	File	0x100020	\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
1088	svchost.exe	0xe1865030	0x6c	Token	0x8	
1088	svchost.exe	0x81f08a00	0x70	Event	0x1f0003	
1088	svchost.exe	0x8215eea0	0x74	Semaphore	0x100003	
1088	svchost.exe	0x81f089c8	0x78	Semaphore	0x100003	
1088	svchost.exe	0x81f08990	0x7c	Semaphore	0x100003	
1088	svchost.exe	0x81f08958	0x80	Semaphore	0x100003	
1088	svchost.exe	0

1088	svchost.exe	0xe1870a60	0x25c	Port	0x1f0001	
1088	svchost.exe	0x82149c10	0x260	Event	0x1f0003	
1088	svchost.exe	0x82161300	0x264	Event	0x1f0003	
1088	svchost.exe	0x821513f8	0x268	Event	0x1f0003	
1088	svchost.exe	0x81db4020	0x26c	Thread	0x1f03ff	Tid 1896 Pid 1088
1088	svchost.exe	0x8215f848	0x270	Event	0x1f0003	
1088	svchost.exe	0x822c4808	0x274	Semaphore	0x100003	
1088	svchost.exe	0x822c4780	0x278	Semaphore	0x100003	
1088	svchost.exe	0xe17841d8	0x27c	Key	0x20019	MACHINE\SOFTWARE\MICROSOFT\TRACING\EAPOL
1088	svchost.exe	0x82152bc8	0x280	Event	0x1f0003	
1088	svchost.exe	0x82152af0	0x284	Event	0x1f0003	
1088	svchost.exe	0x81df3238	0x288	WmiGuid	0xa84	
1088	svchost.exe	0xe17831d8	0x28c	Key	0x20f003f	USER\.DEFAULT
1088	svchost.exe	0x81df1be0	0x290	Semaphore	0x100003	
1088	svchost.exe	0x822ce348	0x294	Semaphore	0x100003	
1088	svchost.exe	0xe183bbb0	0x298	Key	0x20019	MACHINE\SOFTWARE\MICROSOFT\TRACING\EAPOLQEC
1088	svchost.exe	0x821527a0	0x29c	Event	0x1f0003	
1088	svchost.exe	0x81f06ff0	0

1088	svchost.exe	0x822cae70	0x47c	Event	0x1f0003	
1088	svchost.exe	0xe1a5cd78	0x480	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0x81f17320	0x484	Event	0x1f0003	
1088	svchost.exe	0x81f5e8b8	0x488	Event	0x1f0003	
1088	svchost.exe	0xe1565be0	0x48c	Port	0x1f0001	OLE716C029CCA2A4F638ACE4D680E6F
1088	svchost.exe	0xe18c64f8	0x490	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0x81f162d8	0x494	Event	0x1f0003	
1088	svchost.exe	0x822c6b30	0x498	Thread	0x1f03ff	Tid 1480 Pid 1088
1088	svchost.exe	0x81f172f0	0x49c	Event	0x1f0003	
1088	svchost.exe	0xe1918d30	0x4a4	Key	0x20019	MACHINE\SOFTWARE\MICROSOFT\TRACING\RASTAPI
1088	svchost.exe	0xe184e410	0x4a8	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0xe18542a0	0x4ac	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0xe1904dd8	0x4b0	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0xe1904d70	0x4b4	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0x82163db8	0x4b8	Event	0x1f0003	
1088	svchost.exe	0x81dbc028	0x4bc	Fil

1088	svchost.exe	0x81e645b0	0x6b8	Event	0x1f0003	
1088	svchost.exe	0x8216d2a0	0x6bc	Event	0x1f0003	
1088	svchost.exe	0x8216e250	0x6c0	Thread	0x1f03ff	Tid 592 Pid 1088
1088	svchost.exe	0x81dc4ae8	0x6c4	Event	0x1f0003	
1088	svchost.exe	0x822df678	0x6c8	Thread	0x1f03ff	Tid 268 Pid 1088
1088	svchost.exe	0x81dc3b70	0x6cc	Mutant	0x1f0001	4FCC0DEFE22C4f138FB9D5AF25FD9398
1088	svchost.exe	0x81dc3bc0	0x6d0	Mutant	0x1f0001	0CADFD67AF62496dB34264F000F5624A
1088	svchost.exe	0x81dc3b20	0x6d4	Mutant	0x1f0001	238FAD3109D3473aB4764B20B3731840
1088	svchost.exe	0x81f0ef40	0x6d8	Event	0x1f0003	
1088	svchost.exe	0x81e4f7a8	0x6dc	Event	0x1f0003	
1088	svchost.exe	0x82166540	0x6e0	File	0x12019f	\Device\NamedPipe\PCHHangRepExecPipe
1088	svchost.exe	0x822dd670	0x6e4	Event	0x1f0003	
1088	svchost.exe	0x81ea7a90	0x6e8	Semaphore	0x100003	
1088	svchost.exe	0x8215c760	0x6ec	Event	0x1f0003	
1088	svchost.exe	0x82162498	0x6f0	Event	0x1f0003	
1088	svchost.exe	0x821624d0	0x6f4	File	0x12019f	\Device\NamedPipe\PCHFaultRepE

1088	svchost.exe	0x81df4900	0x8d4	Thread	0x1f03ff	Tid 1600 Pid 1088
1088	svchost.exe	0x81df4278	0x8d8	Mutant	0x1f0001	
1088	svchost.exe	0x81df45c0	0x8dc	Thread	0x1f03ff	Tid 1612 Pid 1088
1088	svchost.exe	0x81ef3c38	0x8e0	Mutant	0x1f0001	
1088	svchost.exe	0xe1d09970	0x8e4	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0x81df41e8	0x8e8	Event	0x1f0003	
1088	svchost.exe	0x81df41a8	0x8ec	Mutant	0x1f0001	
1088	svchost.exe	0x81df4178	0x8f0	Event	0x1f0003	
1088	svchost.exe	0x81f9e6e0	0x8f4	Thread	0x1f03ff	Tid 1596 Pid 1088
1088	svchost.exe	0x81dc2570	0x8f8	Process	0x478	svchost.exe Pid 1032
1088	svchost.exe	0xe1cd2870	0x8fc	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0xe1cc77a8	0x900	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0xe1d6b758	0x904	Port	0x1f0001	
1088	svchost.exe	0x81d32c10	0x908	Event	0x1f0003	
1088	svchost.exe	0x81d32be0	0x90c	Event	0x1f0003	
1088	svchost.exe	0x81df45c0	0x910	Thread	0x1f03ff	Tid 1612 Pid 1088
1088	svchost.exe	0x81f787e0	0x914	Event	0x10

1088	svchost.exe	0x81e78788	0xad0	Event	0x1f0003	
1088	svchost.exe	0x822e65a8	0xad4	Event	0x1f0003	
1088	svchost.exe	0xe1d0c328	0xad8	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0x81dd36e0	0xadc	IoCompletion	0x1f0003	
1088	svchost.exe	0x81e7c970	0xae0	Event	0x1f0003	
1088	svchost.exe	0x822e6578	0xae4	Event	0x1f0003	
1088	svchost.exe	0x81ed1840	0xae8	File	0x1f01ff	\Device\Afd\Endpoint
1088	svchost.exe	0xe1d85300	0xaec	Key	0x20019	MACHINE\SYSTEM\SETUP
1088	svchost.exe	0x81f693e0	0xaf0	File	0x1f01ff	\Device\Udp
1088	svchost.exe	0x8223d580	0xaf4	Thread	0x1f03ff	Tid 488 Pid 1088
1088	svchost.exe	0x81d327d0	0xaf8	Event	0x1f0003	
1088	svchost.exe	0x81daec30	0xafc	Event	0x1f0003	
1088	svchost.exe	0x81f156b0	0xb00	Event	0x1f0003	
1088	svchost.exe	0x81f0fd78	0xb04	Event	0x1f0003	
1088	svchost.exe	0xe1d1f4a8	0xb08	Section	0xf0007	Wmi Provider Sub System Counters
1088	svchost.exe	0xe1b7d7b0	0xb0c	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0x81e78728	0xb10	Event	0x1f0003	
1088	

1088	svchost.exe	0x81dff918	0xce8	Mutant	0x1f0001	
1088	svchost.exe	0x8215c8f8	0xcec	File	0x12019f	\Device\HarddiskVolume1\WINDOWS\WindowsUpdate.log
1088	svchost.exe	0x81e7daa8	0xcf0	Event	0x1f0003	
1088	svchost.exe	0x81d2e350	0xcf4	Event	0x1f0003	
1088	svchost.exe	0x81e452f0	0xcf8	Thread	0x1f03ff	Tid 1776 Pid 1088
1088	svchost.exe	0x822f7c50	0xcfc	Event	0x1f0003	
1088	svchost.exe	0x822dba40	0xd00	Event	0x1f0003	
1088	svchost.exe	0x81f39b48	0xd04	Event	0x1f0003	
1088	svchost.exe	0x81f39a30	0xd08	Event	0x1f0003	
1088	svchost.exe	0x81ddb7c0	0xd0c	Event	0x1f0003	
1088	svchost.exe	0x81ddb790	0xd10	Event	0x1f0003	
1088	svchost.exe	0x81ddb760	0xd14	Event	0x1f0003	
1088	svchost.exe	0x81ddb730	0xd18	Event	0x1f0003	
1088	svchost.exe	0x81f0aac0	0xd1c	Event	0x1f0003	
1088	svchost.exe	0x81f0aa90	0xd20	Event	0x1f0003	
1088	svchost.exe	0x81f0aa60	0xd24	Event	0x1f0003	
1088	svchost.exe	0x81f0aa30	0xd28	Event	0x1f0003	
1088	svchost.exe	0x81f0aa00	0xd2c	Event	0x1f0003	
1088	svchost.exe	0x81f0a9d0	0xd30

1088	svchost.exe	0x822dbb90	0xf00	Event	0x1f0003	
1088	svchost.exe	0x81fabc08	0xf04	File	0x1f01ff	\Device\Udp
1088	svchost.exe	0x81dc27f8	0xf08	Event	0x1f0003	
1088	svchost.exe	0x81dd9230	0xf0c	Thread	0x1f03ff	Tid 244 Pid 1088
1088	svchost.exe	0x81e7a420	0xf10	Event	0x1f0003	
1088	svchost.exe	0x81f22f88	0xf14	Event	0x1f0003	
1088	svchost.exe	0x81dda1c0	0xf18	Event	0x1f0003	
1088	svchost.exe	0x81d32020	0xf1c	Thread	0x1f03ff	Tid 1620 Pid 1088
1088	svchost.exe	0x81e80da0	0xf20	Event	0x1f0003	
1088	svchost.exe	0x81dd9230	0xf24	Thread	0x1f03ff	Tid 244 Pid 1088
1088	svchost.exe	0x82197a50	0xf28	Event	0x1f0003	
1088	svchost.exe	0xe1e9e568	0xf2c	Port	0x1f0001	
1088	svchost.exe	0x81e78870	0xf30	Event	0x1f0003	
1088	svchost.exe	0xe1e9c788	0xf38	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0x81fa9240	0xf3c	Event	0x1f0003	
1088	svchost.exe	0x820779e0	0xf40	File	0x1f01ff	\Device\Afd\Endpoint
1088	svchost.exe	0x81ed4898	0xf44	Event	0x1f0003	
1088	svchost.exe	0x81f175a0	0xf48	Semaphore	0x1f0

1088	svchost.exe	0x81fa6290	0x1140	Event	0x100000	SC_AutoStartComplete
1088	svchost.exe	0x81e08058	0x1144	Event	0x100003	
1088	svchost.exe	0xe12f9c28	0x1148	Port	0x1f0001	
1088	svchost.exe	0x81dbbf48	0x114c	Mutant	0x1f0001	
1088	svchost.exe	0x822f7818	0x1150	Event	0x1f0003	
1088	svchost.exe	0x8230cf90	0x1154	Event	0x1f0003	
1088	svchost.exe	0x81f60e98	0x1158	Event	0x1f0003	
1088	svchost.exe	0x81f60e68	0x115c	Event	0x1f0003	
1088	svchost.exe	0x822f9368	0x1160	Event	0x1f0003	
1088	svchost.exe	0xe1d41da8	0x1164	Token	0xc	
1088	svchost.exe	0x81e08b40	0x1168	Event	0x1f0003	
1088	svchost.exe	0x82079658	0x116c	Event	0x1f0003	
1088	svchost.exe	0x821a97f0	0x1170	Thread	0x1f03ff	Tid 2000 Pid 1088
1088	svchost.exe	0x81e08300	0x1174	Event	0x1f0003	
1088	svchost.exe	0xe1d06710	0x1178	Key	0x20019	MACHINE\SOFTWARE\CLASSES
1088	svchost.exe	0x81e082d0	0x117c	Event	0x1f0003	
1088	svchost.exe	0xe1da1350	0x1180	Port	0x1f0001	
1088	svchost.exe	0xe1d9c2c8	0x1184	Section	0x4	
1088	svchost.exe	0x823249c0	0x11

1088	svchost.exe	0x822c47c8	0x134c	Mutant	0x100000	RasPbFile
1088	svchost.exe	0x82324d70	0x1350	File	0x100020	\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
1088	svchost.exe	0x8206c7c0	0x1354	Mutant	0x1f0001	
1088	svchost.exe	0x81eba9e0	0x1358	Event	0x1f0003	
1088	svchost.exe	0xe1d0f6a0	0x135c	Port	0x1f0001	
1088	svchost.exe	0x822ca798	0x1360	Semaphore	0x1f0003	
1088	svchost.exe	0x81f59d98	0x1364	Event	0x1f0003	
1088	svchost.exe	0xe1db52c8	0x1368	Port	0x1f0001	
1088	svchost.exe	0x82301368	0x136c	Thread	0x1f03ff	Tid 1528 Pid 1088
1088	svchost.exe	0x821a9db8	0x1370	Event	0x1f0003	
1088	svchost.exe	0x82164da0	0x1374	Process	0x100000	svchost.exe Pid 716
1088	svchost.exe	0x81f2b7e8	0x137c	Event	0x1f0003	
1088	svchost.exe	0x82151b80	0x1380	Thread	0x1f03ff	Tid 1740 Pid 1088
1088	svchost.exe	0x8223d580	0x1384	Thread	0x1f03ff	Tid 488 Pid 1088
1088	svchost.exe	0x81d29598	0x1388	Event	0x1f0003	
1088	svchost.exe	0x82193218	

1088	svchost.exe	0x81f36340	0x158c	Mutant	0x1f0001	
1088	svchost.exe	0x81e08518	0x1590	Mutant	0x1f0001	
1088	svchost.exe	0x822c8b38	0x1594	Semaphore	0x100003	
1088	svchost.exe	0x81e6cf80	0x1598	Semaphore	0x100003	
1088	svchost.exe	0xe1ca8178	0x159c	Key	0x20019	MACHINE\SOFTWARE\MICROSOFT\TRACING\CONFTSP
1088	svchost.exe	0x81f32590	0x15a0	Event	0x1f0003	
1088	svchost.exe	0x81f59b98	0x15a4	Mutant	0x1f0001	
1088	svchost.exe	0x822f0ac0	0x15a8	Event	0x1f0003	
1088	svchost.exe	0x822cf600	0x15ac	Mutant	0x1f0001	
1088	svchost.exe	0x81f756a8	0x15b0	File	0x12019f	\Device\HarddiskVolume1\WINDOWS\system32\h323log.txt
1088	svchost.exe	0x81e73c78	0x15b4	Event	0x1f0003	
1088	svchost.exe	0xe1116878	0x15b8	Key	0x20019	MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\H323TSP
1088	svchost.exe	0x8223c1e0	0x15bc	Event	0x1f0003	
1088	svchost.exe	0x82319b58	0x15c0	IoCompletion	0x1f0003	
1088	svchost.exe	0x81e083c0	0x15c4	Event	0x1f0003	
1088	svchost.exe	0x821744d0	0x15c8	Thread	0x1f03ff	Tid 1928 Pid 1088
108

1140	svchost.exe	0x81e572f8	0x98	Semaphore	0x100003	
1140	svchost.exe	0x81e91bc8	0x9c	Semaphore	0x100003	
1140	svchost.exe	0xe1919430	0xa0	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\LINKAGE
1140	svchost.exe	0xe1a73558	0xa4	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
1140	svchost.exe	0xe18fa020	0xa8	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES
1140	svchost.exe	0xe173c2f8	0xac	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
1140	svchost.exe	0x81fa1690	0xb0	Event	0x1f0003	
1140	svchost.exe	0x81e56020	0xb8	Event	0x1f0003	
1140	svchost.exe	0xe18fa360	0xbc	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9
1140	svchost.exe	0x81e56130	0xc0	Event	0x1f0003	
1140	svchost.exe	0xe1904bc8	0xc4	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5
1140	svchost.exe	0x81e560c8	0xc8	Event	0x1f0003	
1140	svchost.exe	0x82160970	0xcc	Event	0x1f0003

1212	svchost.exe	0x81f21a48	0x198	Mutant	0x1f0001	c:!documents and settings!localservice!local settings!temporary internet files!content.ie5!
1212	svchost.exe	0xe185cbd0	0x19c	Section	0xf0007	C:_Documents and Settings_LocalService_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768
1212	svchost.exe	0x81e5ab00	0x1a0	File	0x12019f	\Device\HarddiskVolume1\Documents and Settings\LocalService\Cookies\index.dat
1212	svchost.exe	0x822faa70	0x1a4	Mutant	0x1f0001	c:!documents and settings!localservice!cookies!
1212	svchost.exe	0xe1b47998	0x1a8	Section	0xf0007	C:_Documents and Settings_LocalService_Cookies_index.dat_16384
1212	svchost.exe	0x822d0498	0x1ac	File	0x12019f	\Device\HarddiskVolume1\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
1212	svchost.exe	0x81e61a00	0x1b0	Mutant	0x1f0001	c:!documents and settings!localservice!local settings!history!history.ie5!
1212	svchost.exe	0xe1b75bd0	0x1b4	Section	0xf0007	C:_Documents and Settings_LocalServi

1512	spoolsv.exe	0x822da148	0x58	Event	0x1f0003	
1512	spoolsv.exe	0x81e57ae0	0x5c	Event	0x1f0003	
1512	spoolsv.exe	0x81f5ae28	0x60	Semaphore	0x1f0003	shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
1512	spoolsv.exe	0x81fb2890	0x64	Event	0x1f0003	userenv:  User Profile setup event
1512	spoolsv.exe	0x81e5a428	0x68	File	0x100020	\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
1512	spoolsv.exe	0x82157220	0x6c	File	0x12019f	\Device\NamedPipe\net\NtControlPipe8
1512	spoolsv.exe	0x81f9f0e8	0x70	Event	0x1f0003	
1512	spoolsv.exe	0x81f16468	0x74	Event	0x1f0003	
1512	spoolsv.exe	0x81dba4d8	0x78	Event	0x1f0003	
1512	spoolsv.exe	0x81dba4a8	0x7c	Event	0x1f0003	
1512	spoolsv.exe	0x8219b3b8	0x80	Thread	0x1f03ff	Tid 1516 Pid 1512
1512	spoolsv.exe	0x81dba440	0x84	Event	0x1f0003	
1512	spoolsv.exe	0xe19cce40	0x88	Port	0x1f0001	
1512	spoolsv.exe	0x81f16c98	0x8c	Event	0x1f0003	
1512	spoolsv.exe	0xe1a80198	0x90	Key	0x20f003f	MACHINE\SOFTW

1672	explorer.exe	0x81f123d8	0x50	File	0x12019f	\Device\WMIDataDevice
1672	explorer.exe	0x81dbd5d8	0x54	Event	0x1f0003	
1672	explorer.exe	0x822ffb48	0x58	WmiGuid	0xa84	
1672	explorer.exe	0x81db8f90	0x5c	File	0x12019f	\Device\WMIDataDevice
1672	explorer.exe	0x81e76de8	0x60	Event	0x1f0003	
1672	explorer.exe	0x81da71a8	0x64	Process	0x1f0fff	explorer.exe Pid 1672
1672	explorer.exe	0x81e76db8	0x68	Event	0x1f0003	
1672	explorer.exe	0x81e76d88	0x6c	Event	0x1f0003	
1672	explorer.exe	0x81f18438	0x70	WmiGuid	0xa84	
1672	explorer.exe	0x81e76ce0	0x74	Event	0x100003	
1672	explorer.exe	0x82318880	0x78	File	0x100020	\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
1672	explorer.exe	0xe1baf210	0x7c	Key	0x2001f	USER\S-1-5-21-583907252-1123561945-1606980848-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
1672	explorer.exe	0x81e76ca0	0x80	Mutant	0x1f0001	
1672	explorer.exe	0x82318448	0x84	Event	0x1f0003	
1672	explor

1672	explorer.exe	0xe1c63268	0x200	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003_CLASSES
1672	explorer.exe	0xe1864bb0	0x204	Section	0xf001f	MSCTF.Shared.SFM.AEH
1672	explorer.exe	0x81fb2448	0x208	Semaphore	0x1f0003	shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
1672	explorer.exe	0x82162028	0x20c	File	0x100080	\Device\MountPointManager
1672	explorer.exe	0xe12a40e0	0x210	Port	0x1f0001	
1672	explorer.exe	0x81efe898	0x214	Event	0x100003	
1672	explorer.exe	0x81f19da8	0x218	Thread	0x2	Tid 1724 Pid 1672
1672	explorer.exe	0x821643a0	0x21c	Event	0x21f0003	
1672	explorer.exe	0x81f9bbd0	0x220	Event	0x1f0003	
1672	explorer.exe	0x81f19da8	0x224	Thread	0x1f03ff	Tid 1724 Pid 1672
1672	explorer.exe	0xe11a1b40	0x228	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003_CLASSES
1672	explorer.exe	0xe1b06fb8	0x22c	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003_CLASSES
1672	explorer.exe	0x82311b48	0x230	Semaphore	0x1f0003	
1672	explorer.exe	0x82079690	0x234	Thread	0x

1672	explorer.exe	0x81e76bc8	0x368	WmiGuid	0xa84	
1672	explorer.exe	0x822b7a10	0x36c	WmiGuid	0xa84	
1672	explorer.exe	0xe184cab8	0x374	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003_CLASSES
1672	explorer.exe	0x81db2480	0x378	File	0x120116	\Device\Tcp
1672	explorer.exe	0x823111b0	0x37c	File	0x100020	\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
1672	explorer.exe	0x81e50208	0x380	File	0x100001	\Device\HarddiskVolume1\Documents and Settings\demo\NetHood
1672	explorer.exe	0x81fab600	0x384	File	0x1200a0	\Device\Tcp
1672	explorer.exe	0xe1ccd468	0x388	Section	0xf0007	AtlDebugAllocator_FileMappingNameStatic3_688
1672	explorer.exe	0xe15345b8	0x38c	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003_CLASSES
1672	explorer.exe	0x81db2510	0x390	Event	0x1f0003	
1672	explorer.exe	0x81f0de98	0x394	File	0x100020	\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf

1672	explorer.exe	0x822f7438	0x518	Event	0x1f0003	
1672	explorer.exe	0x81d2e438	0x51c	Event	0x1f0003	
1672	explorer.exe	0x81d2fda8	0x520	Thread	0x1f03ff	Tid 1864 Pid 1672
1672	explorer.exe	0x81fb19f0	0x524	Semaphore	0x1f0003	
1672	explorer.exe	0xe19cede8	0x528	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003_CLASSES
1672	explorer.exe	0xe1db3628	0x52c	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003_CLASSES
1672	explorer.exe	0x81e44478	0x530	File	0x100001	\Device\HarddiskVolume1\Documents and Settings\demo\Start Menu
1672	explorer.exe	0x81eae378	0x534	Semaphore	0x1f0003	
1672	explorer.exe	0x81eae3b0	0x538	Semaphore	0x1f0003	
1672	explorer.exe	0x81d32ac0	0x53c	File	0x100001	\Device\HarddiskVolume1\Documents and Settings\All Users\Start Menu
1672	explorer.exe	0x822cad18	0x540	File	0x12019f	\Device\HarddiskVolume1\Documents and Settings\demo\Local Settings\Application Data\VMware\hgfs.dat
1672	explorer.exe	0x81efe7c8	0x544	Semaphore	0x1f0003	
1672	explorer.exe	0

1672	explorer.exe	0x81f98a90	0x6d8	Semaphore	0x1f0003	
1672	explorer.exe	0xe1cf42b8	0x6dc	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003_CLASSES
1672	explorer.exe	0xe1d962b0	0x6e0	Key	0x2001d	USER\S-1-5-21-583907252-1123561945-1606980848-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY\P3SITES
1672	explorer.exe	0x82167108	0x6e4	Semaphore	0x1f0003	
1672	explorer.exe	0x822d90c0	0x6ec	File	0x100020	\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
1672	explorer.exe	0xe124dc38	0x6f0	Key	0x20006	USER\S-1-5-21-583907252-1123561945-1606980848-1003\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\BAGS\19\SHELL
1672	explorer.exe	0xe11a4560	0x6f8	Key	0x2001b	USER\S-1-5-21-583907252-1123561945-1606980848-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY\P3GLOBAL
1672	explorer.exe	0xe1c96d10	0x6fc	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003_CLASSES
1672	explorer.exe	0x81e4f770	0x700	Semaphore	0x1f00

1672	explorer.exe	0x82309de0	0x8a8	Event	0x1f0003	
1672	explorer.exe	0x82309bd8	0x8ac	Event	0x1f0003	
1672	explorer.exe	0xe1169738	0x8b0	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES
1672	explorer.exe	0x823099d0	0x8b4	Event	0x1f0003	
1672	explorer.exe	0x82309aa0	0x8b8	Event	0x1f0003	
1672	explorer.exe	0x822f16b8	0x8bc	Event	0x1f0003	
1672	explorer.exe	0x82309a38	0x8c0	Event	0x1f0003	
1672	explorer.exe	0x8215b458	0x8c4	Event	0x1f0003	
1672	explorer.exe	0x82301170	0x8c8	Event	0x1f0003	
1672	explorer.exe	0x81dcbaf0	0x8cc	Event	0x1f0003	
1672	explorer.exe	0x822afa40	0x8d0	Event	0x1f0003	
1672	explorer.exe	0x81e859d8	0x8d4	Event	0x1f0003	
1672	explorer.exe	0x8215d768	0x8d8	Event	0x1f0003	
1672	explorer.exe	0xe11804d0	0x8dc	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES
1672	explorer.exe	0x822f0d48	0x8e0	Event	0x1f0003	
1672	explorer.exe	0x82157320	0x8e4	Event	0x1f00

2004	VMwareUser.exe	0x82167d78	0x48	File	0x100001	\Device\KsecDD
2004	VMwareUser.exe	0x821598f0	0x4c	File	0x100020	\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
2004	VMwareUser.exe	0x81f037f8	0x50	Event	0x1f0003	
2004	VMwareUser.exe	0x81f63588	0x54	Semaphore	0x100003	
2004	VMwareUser.exe	0x821612b8	0x58	Semaphore	0x100003	
2004	VMwareUser.exe	0xe1843bb0	0x5c	Key	0x20019	MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\DRIVERS32
2004	VMwareUser.exe	0x822afad0	0x60	Semaphore	0x1f0003	
2004	VMwareUser.exe	0x81f09e48	0x64	Event	0x1f0003	
2004	VMwareUser.exe	0xe17f2690	0x68	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\CONTROL\NETWORKPROVIDER\HWORDER
2004	VMwareUser.exe	0x8215eba0	0x6c	Semaphore	0x100003	
2004	VMwareUser.exe	0x8215eb68	0x70	Semaphore	0x100003	
2004	VMwareUser.exe	0x81dc1028	0x74	File	0x100020	\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

2004	VMwareUser.exe	0xe179ec38	0x1f4	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003_CLASSES
2004	VMwareUser.exe	0xe1cab7a8	0x1f8	Key	0xf003f	USER\S-1-5-21-583907252-1123561945-1606980848-1003\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE
2004	VMwareUser.exe	0x81dd12d0	0x1fc	Thread	0x1f03ff	Tid 1236 Pid 2004
2004	VMwareUser.exe	0x81fb2890	0x200	Event	0x1f0003	userenv:  User Profile setup event
2004	VMwareUser.exe	0x81fa4820	0x204	File	0x100020	\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
2004	VMwareUser.exe	0x81db0888	0x208	Event	0x1f0003	
2004	VMwareUser.exe	0xe126b878	0x20c	Token	0xc	
2004	VMwareUser.exe	0x81f95da8	0x210	Thread	0x1f03ff	Tid 1652 Pid 2004
2004	VMwareUser.exe	0xe1b35368	0x214	Key	0x20f003f	USER
2004	VMwareUser.exe	0xe179eca0	0x218	Key	0xf003f	USER\S-1-5-21-583907252-1123561945-1606980848-1003\SOFTWARE\MICROSOFT\WINDOWS\SHELL
2004	VMwareUser.exe	0xe1b0b1a0	0x21c	Key	0x20019	MAC

2004	VMwareUser.exe	0x8215e800	0x388	Event	0x1f0003	
2004	VMwareUser.exe	0xe126cda8	0x38c	Token	0xc	
2004	VMwareUser.exe	0x81e641a8	0x390	Event	0x1f0003	
2020	ctfmon.exe	0xe10096e0	0x4	KeyedEvent	0xf0003	CritSecOutOfMemoryEvent
2020	ctfmon.exe	0xe15a9e98	0x8	Directory	0x3	KnownDlls
2020	ctfmon.exe	0x81f6c7a0	0xc	File	0x100020	\Device\HarddiskVolume1\Documents and Settings\demo
2020	ctfmon.exe	0x821aa260	0x10	Semaphore	0x100003	
2020	ctfmon.exe	0xe172a940	0x14	Directory	0xf000f	Windows
2020	ctfmon.exe	0xe17f7518	0x18	Port	0x21f0001	
2020	ctfmon.exe	0x821aa298	0x1c	Semaphore	0x100003	
2020	ctfmon.exe	0xe1741030	0x20	Directory	0x2000f	BaseNamedObjects
2020	ctfmon.exe	0x822f2108	0x24	Mutant	0x1f0001	SHIMLIB_LOG_MUTEX
2020	ctfmon.exe	0xe1cace60	0x28	Key	0x20f003f	MACHINE
2020	ctfmon.exe	0x8216d988	0x2c	WindowStation	0xf037f	WinSta0
2020	ctfmon.exe	0x821aa1d0	0x30	Event	0x21f0003	
2020	ctfmon.exe	0x81eaccf8	0x34	Desktop	0xf01ff	Default
2020	ctfmon.exe	0x8216d988	0x38	WindowStation	0xf037f	Wi

1032	VMwareService.e	0x81fb0590	0x64	File	0x100003	\Device\Ip
1032	VMwareService.e	0x81fb04f8	0x68	File	0x1200a0	\Device\Ip
1032	VMwareService.e	0x81fb0488	0x6c	Semaphore	0x100003	
1032	VMwareService.e	0x81fb02a0	0x70	Semaphore	0x100003	
1032	VMwareService.e	0xe1d69860	0x74	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\LINKAGE
1032	VMwareService.e	0xe1cec530	0x78	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
1032	VMwareService.e	0xe1d80438	0x7c	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES
1032	VMwareService.e	0xe1b99c30	0x80	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
1032	VMwareService.e	0x82156538	0x84	Event	0x1f0003	VMwareToolsServiceEvent
1032	VMwareService.e	0x81e57028	0x88	File	0x12019f	\Device\NamedPipe\net\NtControlPipe10
1032	VMwareService.e	0x81fb04c0	0x8c	Event	0x1f0003	
1032	VMwareService.e	0x81e570f0	0x90	Event	0x1f0003	
1032	VMwareService.e	0x81e570c0	0x94	Event	0x1f0003	
1032	VMwareSer

1032	VMwareService.e	0x81eaff10	0x204	Mutant	0x1f0001	PSched_Perf_Library_Lock_PID_408
1032	VMwareService.e	0xe1a80200	0x208	Key	0x2001f	MACHINE\SYSTEM\CONTROLSET001\SERVICES\REMOTEACCESS\PERFORMANCE
1032	VMwareService.e	0x81fb68b8	0x20c	Mutant	0x1f0001	RemoteAccess_Perf_Library_Lock_PID_408
1032	VMwareService.e	0xe1da5558	0x210	Key	0x2001f	MACHINE\SYSTEM\CONTROLSET001\SERVICES\RSVP\PERFORMANCE
1032	VMwareService.e	0x81eb1fe0	0x214	Mutant	0x1f0001	RSVP_Perf_Library_Lock_PID_408
1032	VMwareService.e	0xe1e92df8	0x218	Key	0x2001f	MACHINE\SYSTEM\CONTROLSET001\SERVICES\SERVICEMODELENDPOINT 3.0.0.0\PERFORMANCE
1032	VMwareService.e	0x81ea1580	0x21c	Mutant	0x1f0001	ServiceModelEndpoint 3.0.0.0_Perf_Library_Lock_PID_408
1032	VMwareService.e	0xe1d06678	0x220	Key	0x2001f	MACHINE\SYSTEM\CONTROLSET001\SERVICES\SERVICEMODELOPERATION 3.0.0.0\PERFORMANCE
1032	VMwareService.e	0x81ec01f8	0x224	Mutant	0x1f0001	ServiceModelOperation 3.0.0.0_Perf_Library_Lock_PID_408
1032	VMwareService.e	0xe1ac77a8	0x228	K

464	alg.exe	0xe1eadda8	0x130	Token	0xc	
464	alg.exe	0xe1ea46e8	0x134	Key	0x10	MACHINE\SOFTWARE\MICROSOFT\ALG\ISV
464	alg.exe	0x81db46a8	0x138	Event	0x1f0003	
464	alg.exe	0x8223d418	0x13c	Event	0x1f0003	
464	alg.exe	0x8206c788	0x140	Event	0x1f0003	
464	alg.exe	0x821aa790	0x144	Thread	0x1f03ff	Tid 1584 Pid 464
464	alg.exe	0xe1ea77f0	0x148	Port	0x1f0001	
464	alg.exe	0xe1da82c0	0x14c	Port	0x1f0001	
464	alg.exe	0xe1b060e8	0x150	Key	0x20019	USER\S-1-5-19_CLASSES
464	alg.exe	0xe1ea8de0	0x154	Token	0xc	
464	alg.exe	0x822cf370	0x158	Timer	0x1f0003	
464	alg.exe	0x8223ede0	0x15c	Event	0x21f0003	
464	alg.exe	0x82316378	0x160	Thread	0x1f03ff	Tid 616 Pid 464
464	alg.exe	0x81e7d998	0x164	Event	0x1f0003	
464	alg.exe	0x81e7d930	0x168	Event	0x1f0003	
464	alg.exe	0x821aa790	0x16c	Thread	0x1f03ff	Tid 1584 Pid 464
464	alg.exe	0x8223ee10	0x170	Event	0x1f0003	
464	alg.exe	0xe1d11020	0x174	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9
464	alg.exe	0x8223edb0	0x178	Even

1464	msiexec.exe	0xe10fc858	0xd8	Key	0x10	USER
1464	msiexec.exe	0x81e742b8	0xdc	Event	0x1f0003	
1464	msiexec.exe	0xe1d701a0	0xe0	Key	0xf003f	MACHINE\SOFTWARE\CLASSES
1464	msiexec.exe	0x821868a8	0xe4	Event	0x1f0003	
1464	msiexec.exe	0xe11bd978	0xe8	Key	0x10	USER
1464	msiexec.exe	0x82186878	0xec	Event	0x1f0003	
1464	msiexec.exe	0xe1d741c8	0xf0	Key	0xf003f	MACHINE\SOFTWARE\MICROSOFT\COM3
1464	msiexec.exe	0x81ddda98	0xf4	Event	0x1f0003	
1464	msiexec.exe	0xe1d74160	0xf8	Key	0xf003f	MACHINE\SOFTWARE\MICROSOFT\COM3
1464	msiexec.exe	0x81ddda68	0xfc	Event	0x1f0003	
1464	msiexec.exe	0xe1eaa0f8	0x100	Key	0xf003f	MACHINE\SOFTWARE\CLASSES\CLSID
1464	msiexec.exe	0x81e7c8a8	0x104	Event	0x1f0003	
1464	msiexec.exe	0xe1eaa090	0x108	Key	0xf003f	MACHINE\SOFTWARE\CLASSES
1464	msiexec.exe	0x81e7c878	0x10c	Event	0x1f0003	
1464	msiexec.exe	0xe1047020	0x110	Key	0xf003f	MACHINE\SOFTWARE\MICROSOFT\COM3
1464	msiexec.exe	0x81e759f8	0x114	Event	0x1f0003	
1464	msiexec.exe	0xe1047098	0x118	Key	0x10	USER
1464	msiexec.

1464	msiexec.exe	0x81e83bd0	0x324	Event	0x1f0003	
1464	msiexec.exe	0x81dc5ef8	0x328	Event	0x1f0003	
1464	msiexec.exe	0x8231a898	0x32c	Event	0x1f0003	
1464	msiexec.exe	0x81f718d0	0x330	Event	0x1f0003	
1464	msiexec.exe	0x81f718a0	0x334	Event	0x1f0003	
1464	msiexec.exe	0x81f71870	0x338	Event	0x1f0003	
1464	msiexec.exe	0x81f95c28	0x33c	File	0x100001	\Device\HarddiskVolume1\Documents and Settings\demo\Application Data\Microsoft\SystemCertificates\My
1464	msiexec.exe	0xe1b62040	0x340	Section	0x4	SENS Information Cache
1464	msiexec.exe	0x81f63eb0	0x344	Event	0x1f0003	
1464	msiexec.exe	0xe1da89d0	0x348	Port	0x1f0001	
1464	msiexec.exe	0x81e88b80	0x34c	Event	0x1f0003	
1464	msiexec.exe	0xe1d77d98	0x350	Key	0x20019	MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PERFLIB
1464	msiexec.exe	0xe1e0d6a0	0x354	Port	0x1f0001	
1464	msiexec.exe	0x81f12158	0x35c	File	0x13019f	\Device\HarddiskVolume1\DOCUME~1\demo\LOCALS~1\Temp\Perflib_Perfdata_5b8.dat
1464	msiexec.exe	0x822c0088	0x360	Event	0x1f0003	
14

1464	msiexec.exe	0x81dd8dc8	0x4a4	Event	0x1f0003	
1464	msiexec.exe	0x81f29960	0x4a8	Event	0x1f0003	
1464	msiexec.exe	0xe11ba6b0	0x4ac	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES
1464	msiexec.exe	0xe11babb8	0x4b0	Key	0xf003f	USER\S-1-5-21-583907252-1123561945-1606980848-1003\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST
1464	msiexec.exe	0x81e56e10	0x4b4	Event	0x1f0003	
1464	msiexec.exe	0x81eaa7c0	0x4c0	Event	0x1f0003	
1464	msiexec.exe	0x81e65b50	0x4cc	Event	0x1f0003	
1464	msiexec.exe	0x81d30388	0x4d0	Thread	0x1f03ff	Tid 1972 Pid 1464
1464	msiexec.exe	0x81e4db60	0x4d4	Event	0x1f0003	
1464	msiexec.exe	0x81db2fc0	0x4e8	Event	0x1f0003	
1464	msiexec.exe	0x81db2f90	0x4ec	Event	0x1f0003	
1464	msiexec.exe	0xe1b06020	0x4f0	Port	0x1f0001	
1464	msiexec.exe	0x820717b8	0x4f4	Event	0x21f0003	
1464	msiexec.exe	0x820701c0	0x4fc	Event	0x1f0003	
1464	msiexec.exe	0xe104c020	0x500	Key	0x20019	USER\S-1-5-21-583907252-1123561945-1606980848-1003\

796	iexplore.exe	0xe122fd90	0x690	Section	0xf0007	C:_WINDOWS_system32_config_systemprofile_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768
796	iexplore.exe	0x81f07b88	0x694	File	0x12019f	\Device\HarddiskVolume1\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
796	iexplore.exe	0x81dca968	0x698	Mutant	0x1f0001	c:!windows!system32!config!systemprofile!local settings!history!history.ie5!
796	iexplore.exe	0xe1118c78	0x69c	Key	0x20019	MACHINE\SOFTWARE\MICROSOFT\TRACING\RASAPI32
796	iexplore.exe	0x81db7350	0x6a0	Mutant	0x1f0001	c:!windows!system32!config!systemprofile!local settings!temporary internet files!content.ie5!
796	iexplore.exe	0x81dbb930	0x6a4	Event	0x1f0003	
796	iexplore.exe	0x822f6da0	0x6a8	Semaphore	0x100003	
796	iexplore.exe	0x81df0a80	0x6ac	Mutant	0x100000	WininetStartupMutex
796	iexplore.exe	0x820708b8	0x6b0	Event	0x1f0003	
796	iexplore.exe	0xe195d7a0	0x6b4	Section	0xf0007	C:_WINDOWS_system32_config_systemprofile_Cookies_in

456	MIRAgent.exe	0x81e6f550	0x734	File	0x100020	\Device\HarddiskVolume1\Program Files\Mandiant\Mandiant Intelligent Response Agent
456	MIRAgent.exe	0x822d0898	0x738	Mutant	0x1f0001	
456	MIRAgent.exe	0x8232f020	0x73c	Event	0x1f0003	
456	MIRAgent.exe	0x822d5870	0x740	Event	0x1f0003	
456	MIRAgent.exe	0x82166f00	0x744	Event	0x1f0003	
456	MIRAgent.exe	0x821635b8	0x748	Mutant	0x1f0001	
456	MIRAgent.exe	0x81e52458	0x74c	Event	0x1f0003	
456	MIRAgent.exe	0x8217c260	0x750	Mutant	0x1f0001	
456	MIRAgent.exe	0xe1265dc8	0x754	Key	0xf003f	MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9
456	MIRAgent.exe	0xe1d18140	0x758	Key	0xf003f	MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5
456	MIRAgent.exe	0x81e875a8	0x75c	Thread	0x1f03ff	Tid 500 Pid 456
456	MIRAgent.exe	0xe1251a08	0x760	Port	0x1f0001	
456	MIRAgent.exe	0x81f60370	0x764	Event	0x1f0003	
456	MIRAgent.exe	0x81d243c8	0x768	Mutant	0x1f0001	Intelligent Response Agent Manager
456	MIRAgent.exe	0x81

That is too much to handle at first so lets just focus on our suspect PID, which is 796.

In [2]:
python ../volatility3/vol.py -q -f E:\APT.img windows.handles.Handles --pid=796

Volatility 3 Framework 1.2.1

PID	Process	Offset	HandleValue	Type	GrantedAccess	Name

796	iexplore.exe	0x821ace98	0xc	File	0x100020	\Device\HarddiskVolume1\WINDOWS\system32
796	iexplore.exe	0x82189028	0x578	File	0x12019f	\Device\NamedPipe\ROUTER
796	iexplore.exe	0x822eff10	0x57c	Event	0x1f0003	
796	iexplore.exe	0x81f229d0	0x580	Semaphore	0x100003	
796	iexplore.exe	0x81f22a08	0x584	Semaphore	0x100003	
796	iexplore.exe	0x81f30838	0x588	Semaphore	0x100003	
796	iexplore.exe	0x822eae40	0x58c	Semaphore	0x100003	
796	iexplore.exe	0xe1c29c90	0x590	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
796	iexplore.exe	0xe1117fb8	0x594	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES
796	iexplore.exe	0xe1c29c28	0x598	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
796	iexplore.exe	0xe1e9f728	0x59c	Key	0x20019	MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\LINKAGE
796	iexplore.exe	0x821aaeb8	0x5a0	Semaphore	0x100003	
796	iexplore.exe	0x822

796	iexplore.exe	0xe1c5ade8	0x774	Key	0xf003f	MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5
796	iexplore.exe	0x81e7d5b8	0x778	Event	0x1f0003	
796	iexplore.exe	0xe111e2a8	0x77c	Key	0xf003f	MACHINE\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9
796	iexplore.exe	0x822ed538	0x780	Event	0x1f0003	
796	iexplore.exe	0x81dd17a8	0x784	Event	0x1f0003	
796	iexplore.exe	0x81d298c8	0x788	File	0x100020	\Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
796	iexplore.exe	0x82178de8	0x78c	Event	0x100003	
796	iexplore.exe	0x82070c98	0x790	WmiGuid	0xa84	
796	iexplore.exe	0x81f2a3b8	0x794	Event	0x1f0003	
796	iexplore.exe	0x81fb7110	0x798	Event	0x1f0003	
796	iexplore.exe	0x81dbdda0	0x79c	Process	0x1f0fff	iexplore.exe Pid 796
796	iexplore.exe	0x81e72220	0x7a0	Event	0x1f0003	
796	iexplore.exe	0x81f224c0	0x7a4	File	0x12019f	\Device\WMIDataDevice
796	iexplore.exe	0x81d1cf48	0x7a8	WmiGuid	0x

You used to be able filter by handle type using the `-t` flag with the plugin we can do similar with csvkit though. Below we just limit the handle output to registry keys and files with csvkit.

In [3]:
python ../volatility3/vol.py -q -r csv -f E:\APT.img windows.handles.Handles --pid=796 | csvcut -c 2,3,5,6,8 | csvgrep -c 4 -r "File|Key"

Volatility 3 Framework 1.2.1
PID,Process,HandleValue,Type,Name
796,iexplore.exe,0xc,File,\Device\HarddiskVolume1\WINDOWS\system32
796,iexplore.exe,0x578,File,\Device\NamedPipe\ROUTER
796,iexplore.exe,0x590,Key,MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
796,iexplore.exe,0x594,Key,MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES
796,iexplore.exe,0x598,Key,MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
796,iexplore.exe,0x59c,Key,MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\LINKAGE
796,iexplore.exe,0x5a8,File,\Device\Ip
796,iexplore.exe,0x5ac,File,\Device\Ip
796,iexplore.exe,0x5b0,File,\Device\Ip
796,iexplore.exe,0x5b4,File,\Device\Tcp
796,iexplore.exe,0x5b8,File,\Device\Tcp
796,iexplore.exe,0x5bc,File,\Device\NamedPipe\ROUTER
796,iexplore.exe,0x5c4,File,\Device\Afd\AsyncConnectHlp
796,iexplore.exe,0x5f8,Key,USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
796,iexplore.exe,0x5fc,Key,MACHINE\SOFTWARE
796,iexplore.exe,0x600

Some of the objects are not names and you can exclude these from analysis by using the command line below flag as shown below:

In [8]:
python ../volatility3/vol.py -q -r csv -f E:\APT.img windows.handles.Handles --pid=796 | csvcut -c 2,3,5,6,8 | csvgrep -c 5 -r "^$" -i 

Volatility 3 Framework 1.2.1
PID,Process,HandleValue,Type,Name
796,iexplore.exe,0xc,File,\Device\HarddiskVolume1\WINDOWS\system32
796,iexplore.exe,0x578,File,\Device\NamedPipe\ROUTER
796,iexplore.exe,0x590,Key,MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
796,iexplore.exe,0x594,Key,MACHINE\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES
796,iexplore.exe,0x598,Key,MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
796,iexplore.exe,0x59c,Key,MACHINE\SYSTEM\CONTROLSET001\SERVICES\TCPIP\LINKAGE
796,iexplore.exe,0x5a8,File,\Device\Ip
796,iexplore.exe,0x5ac,File,\Device\Ip
796,iexplore.exe,0x5b0,File,\Device\Ip
796,iexplore.exe,0x5b4,File,\Device\Tcp
796,iexplore.exe,0x5b8,File,\Device\Tcp
796,iexplore.exe,0x5bc,File,\Device\NamedPipe\ROUTER
796,iexplore.exe,0x5c4,File,\Device\Afd\AsyncConnectHlp
796,iexplore.exe,0x5e4,Mutant,ZonesLockedCacheCounterMutex
796,iexplore.exe,0x5e8,Mutant,ZonesCacheCounterMutex
796,iexplore.exe,0x5ec,Mutant,ZoneAttributeCacheCounterMutex
79

## procdump

In [9]:
mkdir dump/


    Directory: C:\Users\analyst\Desktop\IncidentResponse\processanalysis

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d----           10/3/2021  5:26 PM                dump



In [15]:
python ../volatility3/vol.py -q -o dump -f  E:\APT.img  windows.pslist.PsList --pid=796 --dump 

Volatility 3 Framework 1.2.1

PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime	File output

796	884	iexplore.exe	0x81dbdda0	8	152	0	False	2009-05-05 19:28:28.000000 	N/A	pid.796.0x400000.dmp


In [16]:
dir dump/


    Directory: C:\Users\analyst\Desktop\IncidentResponse\processanalysis\dump

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---           10/3/2021  5:43 PM         634880 pid.796.0x400000.dmp



## strings
View the dump and process files in a strings utility such as FLOSS, viewing them in the notebook will freeze it from the amount of data.

## dlllist
Now that we have exporlered the process lets look at all the DLL's being loaded on the memory image. `dlllist` enumberates the doubly-linked list of `_LDR_DATA_TABLE_ENTRY` structures. DLLs added to the list when a process calls `LoadLibrary` funtion and are not unlisted `FreeLibrary` is called. The load count column lets you know if the DLL was statically or dynamically loaded.

In [17]:
python ../volatility3/vol.py -q -f E:\APT.img windows.dlllist.DllList

Volatility 3 Framework 1.2.1

PID	Process	Base	Size	Name	Path	LoadTime	File output

564	smss.exe	0x48580000	0xf000	smss.exe	\SystemRoot\System32\smss.exe	N/A	Disabled
564	smss.exe	0x7c900000	0xaf000	ntdll.dll	C:\WINDOWS\system32\ntdll.dll	N/A	Disabled
636	csrss.exe	0x4a680000	0x5000	csrss.exe	\??\C:\WINDOWS\system32\csrss.exe	N/A	Disabled
636	csrss.exe	0x7c900000	0xaf000	ntdll.dll	C:\WINDOWS\system32\ntdll.dll	N/A	Disabled
636	csrss.exe	0x75b40000	0xb000	CSRSRV.dll	C:\WINDOWS\system32\CSRSRV.dll	N/A	Disabled
636	csrss.exe	0x75b50000	0x10000	basesrv.dll	C:\WINDOWS\system32\basesrv.dll	N/A	Disabled
636	csrss.exe	0x75b60000	0x4b000	winsrv.dll	C:\WINDOWS\system32\winsrv.dll	N/A	Disabled
636	csrss.exe	0x77f10000	0x49000	GDI32.dll	C:\WINDOWS\system32\GDI32.dll	N/A	Disabled
636	csrss.exe	0x7c800000	0xf6000	KERNEL32.dll	C:\WINDOWS\system32\KERNEL32.dll	N/A	Disabled
636	csrss.exe	0x7e410000	0x91000	USER32.dll	C:\WINDOWS\system32\USER32.dll	N/A	Disabled
636	csrss.exe	0x7e720000	0xb0000	sxs.dll	C

704	services.exe	0x5f770000	0xc000	NCObjAPI.DLL	C:\WINDOWS\system32\NCObjAPI.DLL	N/A	Disabled
704	services.exe	0x76080000	0x65000	MSVCP60.dll	C:\WINDOWS\system32\MSVCP60.dll	N/A	Disabled
704	services.exe	0x7dbd0000	0x51000	SCESRV.dll	C:\WINDOWS\system32\SCESRV.dll	N/A	Disabled
704	services.exe	0x776c0000	0x12000	AUTHZ.dll	C:\WINDOWS\system32\AUTHZ.dll	N/A	Disabled
704	services.exe	0x7e410000	0x91000	USER32.dll	C:\WINDOWS\system32\USER32.dll	N/A	Disabled
704	services.exe	0x77f10000	0x49000	GDI32.dll	C:\WINDOWS\system32\GDI32.dll	N/A	Disabled
704	services.exe	0x769c0000	0xb4000	USERENV.dll	C:\WINDOWS\system32\USERENV.dll	N/A	Disabled
704	services.exe	0x7dba0000	0x21000	umpnpmgr.dll	C:\WINDOWS\system32\umpnpmgr.dll	N/A	Disabled
704	services.exe	0x76360000	0x10000	WINSTA.dll	C:\WINDOWS\system32\WINSTA.dll	N/A	Disabled
704	services.exe	0x5b860000	0x55000	NETAPI32.dll	C:\WINDOWS\system32\NETAPI32.dll	N/A	Disabled
704	services.exe	0x5cb70000	0x26000	ShimEng.dll	C:\WINDOWS\system32\ShimEng.dll

872	vmacthlp.exe	0x7c420000	0x87000	MSVCP80.dll	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCP80.dll	N/A	Disabled
872	vmacthlp.exe	0x76390000	0x1d000	IMM32.DLL	C:\WINDOWS\system32\IMM32.DLL	N/A	Disabled
872	vmacthlp.exe	0x77f60000	0x76000	SHLWAPI.dll	C:\WINDOWS\system32\SHLWAPI.dll	N/A	Disabled
872	vmacthlp.exe	0x773d0000	0x103000	comctl32.dll	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	N/A	Disabled
872	vmacthlp.exe	0x5d090000	0x9a000	comctl32.dll	C:\WINDOWS\system32\comctl32.dll	N/A	Disabled
884	svchost.exe	0x1000000	0x6000	svchost.exe	C:\WINDOWS\system32\svchost.exe	N/A	Disabled
884	svchost.exe	0x7c900000	0xaf000	ntdll.dll	C:\WINDOWS\system32\ntdll.dll	N/A	Disabled
884	svchost.exe	0x7c800000	0xf6000	kernel32.dll	C:\WINDOWS\system32\kernel32.dll	N/A	Disabled
884	svchost.exe	0x77dd0000	0x9b000	ADVAPI32.dll	C:\WINDOWS\system32\ADVAPI32.dll	N/A	Disabled
884	svchost.exe	0x77

968	svchost.exe	0x71a90000	0x8000	wshtcpip.dll	C:\WINDOWS\System32\wshtcpip.dll	N/A	Disabled
968	svchost.exe	0x76f20000	0x27000	DNSAPI.dll	C:\WINDOWS\system32\DNSAPI.dll	N/A	Disabled
968	svchost.exe	0x76d60000	0x19000	iphlpapi.dll	C:\WINDOWS\system32\iphlpapi.dll	N/A	Disabled
968	svchost.exe	0x76fb0000	0x8000	winrnr.dll	C:\WINDOWS\System32\winrnr.dll	N/A	Disabled
968	svchost.exe	0x76f60000	0x2c000	WLDAP32.dll	C:\WINDOWS\system32\WLDAP32.dll	N/A	Disabled
968	svchost.exe	0x76fc0000	0x6000	rasadhlp.dll	C:\WINDOWS\system32\rasadhlp.dll	N/A	Disabled
968	svchost.exe	0x76fd0000	0x7f000	CLBCATQ.DLL	C:\WINDOWS\system32\CLBCATQ.DLL	N/A	Disabled
968	svchost.exe	0x77050000	0xc5000	COMRes.dll	C:\WINDOWS\system32\COMRes.dll	N/A	Disabled
1088	svchost.exe	0x1000000	0x6000	svchost.exe	C:\WINDOWS\System32\svchost.exe	N/A	Disabled
1088	svchost.exe	0x7c900000	0xaf000	ntdll.dll	C:\WINDOWS\system32\ntdll.dll	N/A	Disabled
1088	svchost.exe	0x7c800000	0xf6000	kernel32.dll	C:\WINDOWS\system32\kernel32.dll	N/A	D

1088	svchost.exe	0x75090000	0x1a000	srvsvc.dll	c:\windows\system32\srvsvc.dll	N/A	Disabled
1088	svchost.exe	0x77d00000	0x33000	netman.dll	c:\windows\system32\netman.dll	N/A	Disabled
1088	svchost.exe	0x76400000	0x1a5000	netshell.dll	c:\windows\system32\netshell.dll	N/A	Disabled
1088	svchost.exe	0x76c00000	0x2e000	credui.dll	c:\windows\system32\credui.dll	N/A	Disabled
1088	svchost.exe	0x736d0000	0x6000	dot3dlg.dll	c:\windows\system32\dot3dlg.dll	N/A	Disabled
1088	svchost.exe	0x5dca0000	0x28000	OneX.DLL	c:\windows\system32\OneX.DLL	N/A	Disabled
1088	svchost.exe	0x745b0000	0x22000	eappcfg.dll	c:\windows\system32\eappcfg.dll	N/A	Disabled
1088	svchost.exe	0x5dcd0000	0xe000	eappprxy.dll	c:\windows\system32\eappprxy.dll	N/A	Disabled
1088	svchost.exe	0x73030000	0x10000	WZCSAPI.DLL	c:\windows\system32\WZCSAPI.DLL	N/A	Disabled
1088	svchost.exe	0x662b0000	0x58000	HNETCFG.DLL	C:\WINDOWS\System32\HNETCFG.DLL	N/A	Disabled
1088	svchost.exe	0x73d20000	0x8000	seclogon.dll	c:\windows\system32\seclogon.dl

1140	svchost.exe	0x7e410000	0x91000	USER32.dll	C:\WINDOWS\system32\USER32.dll	N/A	Disabled
1140	svchost.exe	0x77f10000	0x49000	GDI32.dll	C:\WINDOWS\system32\GDI32.dll	N/A	Disabled
1140	svchost.exe	0x76b40000	0x2d000	WINMM.dll	C:\WINDOWS\system32\WINMM.dll	N/A	Disabled
1140	svchost.exe	0x774e0000	0x13d000	ole32.dll	C:\WINDOWS\system32\ole32.dll	N/A	Disabled
1140	svchost.exe	0x77c10000	0x58000	msvcrt.dll	C:\WINDOWS\system32\msvcrt.dll	N/A	Disabled
1140	svchost.exe	0x77120000	0x8b000	OLEAUT32.dll	C:\WINDOWS\system32\OLEAUT32.dll	N/A	Disabled
1140	svchost.exe	0x77be0000	0x15000	MSACM32.dll	C:\WINDOWS\system32\MSACM32.dll	N/A	Disabled
1140	svchost.exe	0x77c00000	0x8000	VERSION.dll	C:\WINDOWS\system32\VERSION.dll	N/A	Disabled
1140	svchost.exe	0x7c9c0000	0x817000	SHELL32.dll	C:\WINDOWS\system32\SHELL32.dll	N/A	Disabled
1140	svchost.exe	0x77f60000	0x76000	SHLWAPI.dll	C:\WINDOWS\system32\SHLWAPI.dll	N/A	Disabled
1140	svchost.exe	0x769c0000	0xb4000	USERENV.dll	C:\WINDOWS\system32\USERENV.dll	N/A

1512	spoolsv.exe	0x71ab0000	0x17000	WS2_32.dll	C:\WINDOWS\system32\WS2_32.dll	N/A	Disabled
1512	spoolsv.exe	0x71aa0000	0x8000	WS2HELP.dll	C:\WINDOWS\system32\WS2HELP.dll	N/A	Disabled
1512	spoolsv.exe	0x76f20000	0x27000	DNSAPI.dll	C:\WINDOWS\system32\DNSAPI.dll	N/A	Disabled
1512	spoolsv.exe	0x76d60000	0x19000	iphlpapi.dll	C:\WINDOWS\system32\iphlpapi.dll	N/A	Disabled
1512	spoolsv.exe	0x76fc0000	0x6000	rasadhlp.dll	C:\WINDOWS\system32\rasadhlp.dll	N/A	Disabled
1512	spoolsv.exe	0x75bb0000	0x56000	localspl.dll	C:\WINDOWS\system32\localspl.dll	N/A	Disabled
1512	spoolsv.exe	0x76c60000	0x2a000	sfc_os.dll	C:\WINDOWS\system32\sfc_os.dll	N/A	Disabled
1512	spoolsv.exe	0x76c30000	0x2e000	WINTRUST.dll	C:\WINDOWS\system32\WINTRUST.dll	N/A	Disabled
1512	spoolsv.exe	0x77a80000	0x95000	CRYPT32.dll	C:\WINDOWS\system32\CRYPT32.dll	N/A	Disabled
1512	spoolsv.exe	0x77b20000	0x12000	MSASN1.dll	C:\WINDOWS\system32\MSASN1.dll	N/A	Disabled
1512	spoolsv.exe	0x76c90000	0x28000	IMAGEHLP.dll	C:\WINDOWS\system32\IMA

1672	explorer.exe	0x76bf0000	0xb000	PSAPI.DLL	C:\WINDOWS\system32\PSAPI.DLL	N/A	Disabled
1672	explorer.exe	0x78130000	0x127000	urlmon.dll	C:\WINDOWS\system32\urlmon.dll	N/A	Disabled
1672	explorer.exe	0x76400000	0x1a5000	NETSHELL.dll	C:\WINDOWS\system32\NETSHELL.dll	N/A	Disabled
1672	explorer.exe	0x76c00000	0x2e000	credui.dll	C:\WINDOWS\system32\credui.dll	N/A	Disabled
1672	explorer.exe	0x478c0000	0xa000	dot3api.dll	C:\WINDOWS\system32\dot3api.dll	N/A	Disabled
1672	explorer.exe	0x76e80000	0xe000	rtutils.dll	C:\WINDOWS\system32\rtutils.dll	N/A	Disabled
1672	explorer.exe	0x736d0000	0x6000	dot3dlg.dll	C:\WINDOWS\system32\dot3dlg.dll	N/A	Disabled
1672	explorer.exe	0x5dca0000	0x28000	OneX.DLL	C:\WINDOWS\system32\OneX.DLL	N/A	Disabled
1672	explorer.exe	0x76f50000	0x8000	WTSAPI32.dll	C:\WINDOWS\system32\WTSAPI32.dll	N/A	Disabled
1672	explorer.exe	0x76360000	0x10000	WINSTA.dll	C:\WINDOWS\system32\WINSTA.dll	N/A	Disabled
1672	explorer.exe	0x745b0000	0x22000	eappcfg.dll	C:\WINDOWS\system32\eappcf

2004	VMwareUser.exe	0x7c9c0000	0x817000	SHELL32.dll	C:\WINDOWS\system32\SHELL32.dll	N/A	Disabled
2004	VMwareUser.exe	0x77f60000	0x76000	SHLWAPI.dll	C:\WINDOWS\system32\SHLWAPI.dll	N/A	Disabled
2004	VMwareUser.exe	0x774e0000	0x13d000	ole32.dll	C:\WINDOWS\system32\ole32.dll	N/A	Disabled
2004	VMwareUser.exe	0x76b40000	0x2d000	WINMM.dll	C:\WINDOWS\system32\WINMM.dll	N/A	Disabled
2004	VMwareUser.exe	0x71b20000	0x12000	MPR.dll	C:\WINDOWS\system32\MPR.dll	N/A	Disabled
2004	VMwareUser.exe	0x77c00000	0x8000	VERSION.dll	C:\WINDOWS\system32\VERSION.dll	N/A	Disabled
2004	VMwareUser.exe	0x10000000	0x10000	sigc-2.0.dll	C:\Program Files\VMware\VMware Tools\sigc-2.0.dll	N/A	Disabled
2004	VMwareUser.exe	0x7c420000	0x87000	MSVCP80.dll	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCP80.dll	N/A	Disabled
2004	VMwareUser.exe	0x71ab0000	0x17000	WS2_32.dll	C:\WINDOWS\system32\WS2_32.dll	N/A	Disabled
2004	VMwareUser.exe	0x71aa0000	0x8000	WS2HELP.dll	C:\WINDOWS\system

1032	VMwareService.e	0x774e0000	0x13d000	ole32.dll	C:\WINDOWS\system32\ole32.dll	N/A	Disabled
1032	VMwareService.e	0x77120000	0x8b000	OLEAUT32.dll	C:\WINDOWS\system32\OLEAUT32.dll	N/A	Disabled
1032	VMwareService.e	0x71ab0000	0x17000	WS2_32.dll	C:\WINDOWS\system32\WS2_32.dll	N/A	Disabled
1032	VMwareService.e	0x71aa0000	0x8000	WS2HELP.dll	C:\WINDOWS\system32\WS2HELP.dll	N/A	Disabled
1032	VMwareService.e	0x76390000	0x1d000	IMM32.DLL	C:\WINDOWS\system32\IMM32.DLL	N/A	Disabled
1032	VMwareService.e	0x773d0000	0x103000	comctl32.dll	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	N/A	Disabled
1032	VMwareService.e	0x5d090000	0x9a000	comctl32.dll	C:\WINDOWS\system32\comctl32.dll	N/A	Disabled
1032	VMwareService.e	0x76780000	0x9000	shfolder.dll	C:\WINDOWS\system32\shfolder.dll	N/A	Disabled
1032	VMwareService.e	0x76d60000	0x19000	IpHlpApi.dll	C:\WINDOWS\system32\IpHlpApi.dll	N/A	Disabled
1032	VMwareService.e	0x5ad70000	0x38000	uxthem

1464	msiexec.exe	0x77f60000	0x76000	SHLWAPI.dll	C:\WINDOWS\system32\SHLWAPI.dll	N/A	Disabled
1464	msiexec.exe	0x769c0000	0xb4000	USERENV.dll	C:\WINDOWS\system32\USERENV.dll	N/A	Disabled
1464	msiexec.exe	0x5ad70000	0x38000	UxTheme.dll	C:\WINDOWS\system32\UxTheme.dll	N/A	Disabled
1464	msiexec.exe	0x76390000	0x1d000	IMM32.DLL	C:\WINDOWS\system32\IMM32.DLL	N/A	Disabled
1464	msiexec.exe	0x773d0000	0x103000	comctl32.dll	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	N/A	Disabled
1464	msiexec.exe	0x640000	0x2c5000	xpsp2res.dll	C:\WINDOWS\system32\xpsp2res.dll	N/A	Disabled
1464	msiexec.exe	0x76fd0000	0x7f000	CLBCATQ.DLL	C:\WINDOWS\system32\CLBCATQ.DLL	N/A	Disabled
1464	msiexec.exe	0x77050000	0xc5000	COMRes.dll	C:\WINDOWS\system32\COMRes.dll	N/A	Disabled
1464	msiexec.exe	0x5b860000	0x55000	netapi32.dll	C:\WINDOWS\system32\netapi32.dll	N/A	Disabled
1464	msiexec.exe	0x76c60000	0x2a000	sfc_os.dll	C:\WINDOWS\system32\sfc_os.dll	N/A	

796	iexplore.exe	0x662b0000	0x58000	hnetcfg.dll	C:\WINDOWS\system32\hnetcfg.dll	N/A	Disabled
796	iexplore.exe	0x71a90000	0x8000	wshtcpip.dll	C:\WINDOWS\System32\wshtcpip.dll	N/A	Disabled
796	iexplore.exe	0x77c70000	0x24000	msv1_0.dll	C:\WINDOWS\system32\msv1_0.dll	N/A	Disabled
796	iexplore.exe	0x76d60000	0x19000	iphlpapi.dll	C:\WINDOWS\system32\iphlpapi.dll	N/A	Disabled
456	MIRAgent.exe	0x400000	0x192000	MIRAgent.exe	C:\Program Files\Mandiant\Mandiant Intelligent Response Agent\MIRAgent.exe	N/A	Disabled
456	MIRAgent.exe	0x7c900000	0xaf000	ntdll.dll	C:\WINDOWS\system32\ntdll.dll	N/A	Disabled
456	MIRAgent.exe	0x7c800000	0xf6000	kernel32.dll	C:\WINDOWS\system32\kernel32.dll	N/A	Disabled
456	MIRAgent.exe	0x10000000	0xbf000	libxml2.dll	C:\Program Files\Mandiant\Mandiant Intelligent Response Agent\libxml2.dll	N/A	Disabled
456	MIRAgent.exe	0x78130000	0x9b000	MSVCR80.dll	C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll	N/A	Disabled
456	MIRAgent

You can specificy to look only specific processes with the `-p` flag as below with our supicious process

In [18]:
python ../volatility3/vol.py -q -f E:\APT.img windows.dlllist.DllList --pid=796

Volatility 3 Framework 1.2.1

PID	Process	Base	Size	Name	Path	LoadTime	File output

796	iexplore.exe	0x400000	0x9b000	iexplore.exe	C:\Program Files\Internet Explorer\iexplore.exe	N/A	Disabled
796	iexplore.exe	0x7c900000	0xaf000	ntdll.dll	C:\WINDOWS\system32\ntdll.dll	N/A	Disabled
796	iexplore.exe	0x7c800000	0xf6000	kernel32.dll	C:\WINDOWS\system32\kernel32.dll	N/A	Disabled
796	iexplore.exe	0x77dd0000	0x9b000	ADVAPI32.dll	C:\WINDOWS\system32\ADVAPI32.dll	N/A	Disabled
796	iexplore.exe	0x77e70000	0x92000	RPCRT4.dll	C:\WINDOWS\system32\RPCRT4.dll	N/A	Disabled
796	iexplore.exe	0x77fe0000	0x11000	Secur32.dll	C:\WINDOWS\system32\Secur32.dll	N/A	Disabled
796	iexplore.exe	0x77f10000	0x49000	GDI32.dll	C:\WINDOWS\system32\GDI32.dll	N/A	Disabled
796	iexplore.exe	0x7e410000	0x91000	USER32.dll	C:\WINDOWS\system32\USER32.dll	N/A	Disabled
796	iexplore.exe	0x77c10000	0x58000	msvcrt.dll	C:\WINDOWS\system32\msvcrt.dll	N/A	Disabled
796	iexplore.exe	0x77f60000	0x76000	SHLWAPI.dll	C:\WINDOWS\system32\SHLWAP

## dlldump
Lets dump all the DLL's associated with this process into our dump folder to futher examine them. You can do this with the `dlldump` command as shown below:

In [19]:
python ../volatility3/vol.py -q -o dump -f E:\APT.img windows.dlllist.DllList --pid=796 --dump

Volatility 3 Framework 1.2.1

PID	Process	Base	Size	Name	Path	LoadTime	File output

796	iexplore.exe	0x400000	0x9b000	iexplore.exe	C:\Program Files\Internet Explorer\iexplore.exe	N/A	pid.796.iexplore.exe.0x291ec0.0x400000.dmp
796	iexplore.exe	0x7c900000	0xaf000	ntdll.dll	C:\WINDOWS\system32\ntdll.dll	N/A	pid.796.ntdll.dll.0x291f18.0x7c900000.dmp
796	iexplore.exe	0x7c800000	0xf6000	kernel32.dll	C:\WINDOWS\system32\kernel32.dll	N/A	pid.796.kernel32.dll.0x291fc0.0x7c800000.dmp
796	iexplore.exe	0x77dd0000	0x9b000	ADVAPI32.dll	C:\WINDOWS\system32\ADVAPI32.dll	N/A	pid.796.ADVAPI32.dll.0x292068.0x77dd0000.dmp
796	iexplore.exe	0x77e70000	0x92000	RPCRT4.dll	C:\WINDOWS\system32\RPCRT4.dll	N/A	pid.796.RPCRT4.dll.0x292108.0x77e70000.dmp
796	iexplore.exe	0x77fe0000	0x11000	Secur32.dll	C:\WINDOWS\system32\Secur32.dll	N/A	pid.796.Secur32.dll.0x2921a8.0x77fe0000.dmp
796	iexplore.exe	0x77f10000	0x49000	GDI32.dll	C:\WINDOWS\system32\GDI32.dll	N/A	pid.796.GDI32.dll.0x292248.0x77f10000.dmp
796	iexplore.ex

Review the supicoius DLL, which is named `id.796.irykmmww.d1l.0x292b30.0x10000000.dmp` in your other tools sets in your VM.

## modules
`modules` lists all the loaded kernel drives on the system. This command enumerates the doubly-linked list of the  `LDR_DATA_TABLE_ENTRY` structures pointed to by PsLoadedModuleList which relives on finding the `KDBG` structure in memory similar to `pslist`

In [20]:
python ../volatility3/vol.py -q -f E:\APT.img  windows.modules.Modules

Volatility 3 Framework 1.2.1

Offset	Base	Size	Name	Path	File output

0x823fc3b0	0x804d7000	0x1f8680	ntoskrnl.exe	\WINDOWS\system32\ntkrnlpa.exe	Disabled
0x823fc348	0x806d0000	0x20300	hal.dll	\WINDOWS\system32\hal.dll	Disabled
0x823fc2e0	0xf8b9a000	0x2000	kdcom.dll	\WINDOWS\system32\KDCOM.DLL	Disabled
0x823fc270	0xf8aaa000	0x3000	BOOTVID.dll	\WINDOWS\system32\BOOTVID.dll	Disabled
0x823fc208	0xf856b000	0x2e000	ACPI.sys	ACPI.sys	Disabled
0x823fc198	0xf8b9c000	0x2000	WMILIB.SYS	\WINDOWS\system32\DRIVERS\WMILIB.SYS	Disabled
0x823fc130	0xf855a000	0x11000	pci.sys	pci.sys	Disabled
0x823fc0c0	0xf869a000	0xa000	isapnp.sys	isapnp.sys	Disabled
0x823fc050	0xf8aae000	0x3000	compbatt.sys	compbatt.sys	Disabled
0x823ed008	0xf8ab2000	0x4000	BATTC.SYS	\WINDOWS\system32\DRIVERS\BATTC.SYS	Disabled
0x823edf98	0xf8b9e000	0x2000	intelide.sys	intelide.sys	Disabled
0x823edf28	0xf891a000	0x7000	PCIIDEX.SYS	\WINDOWS\system32\drivers\PCIIDEX.SYS	Disabled
0x823edeb8	0xf86aa000	0xb000	MountMgr.sys	MountMgr.sys	Disa

0x81eabe78	0xbf800000	0x1c3000	win32k.sys	\SystemRoot\System32\win32k.sys	Disabled
0x81f78008	0xf8157000	0x3000	Dxapi.sys	\SystemRoot\System32\drivers\Dxapi.sys	Disabled
0x81df2568	0xf8a0a000	0x5000	watchdog.sys	\SystemRoot\System32\watchdog.sys	Disabled
0x81df3338	0xbf9c3000	0x12000	dxg.sys	\SystemRoot\System32\drivers\dxg.sys	Disabled
0x81df5630	0xf8cba000	0x1000	dxgthk.sys	\SystemRoot\System32\drivers\dxgthk.sys	Disabled
0x81e58bb8	0xbf9d5000	0x29000	vmx_fb.dll	\SystemRoot\System32\vmx_fb.dll	Disabled
0x822fea30	0xbffa0000	0x46000	ATMFD.DLL	\SystemRoot\System32\ATMFD.DLL	Disabled
0x81f61730	0xf683c000	0x4000	ndisuio.sys	\SystemRoot\system32\DRIVERS\ndisuio.sys	Disabled
0x81dbd970	0xf649b000	0x2d000	mrxdav.sys	\SystemRoot\system32\DRIVERS\mrxdav.sys	Disabled
0x81e901c0	0xf8c4e000	0x2000	ParVdm.SYS	\SystemRoot\System32\Drivers\ParVdm.SYS	Disabled
0x821665b8	0xf8c50000	0x2000	vmmemctl.sys	\??\C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys	Disabled
0x8219f328	0xf635900

## modscan
As the naming convention follows `modscan` looks forensically for loaded modules. It will find loaded and unloaded modules. The list of the order of modules unlike modules is not the order they were loaded.

In [21]:
python ../volatility3/vol.py -q -f E:\APT.img  windows.modscan.ModScan

Volatility 3 Framework 1.2.1

Offset	Base	Size	Name	Path	File output

0x59cac0	0x89607b8d	0x89662c46			Disabled
0x5a3910	0x6600000c	0x8d50a045			Disabled
0x5a3e86	0x400	0x66000010			Disabled
0x1f1c7d0	0xf836f000	0x4000	irykmmww.sys	\??\C:\WINDOWS\system32\drivers\irykmmww.sys	Disabled
0x1fbd970	0xf649b000	0x2d000	mrxdav.sys	\SystemRoot\system32\DRIVERS\mrxdav.sys	Disabled
0x1fe34c8	0xf82d2000	0x17000	ndiswan.sys	\SystemRoot\system32\DRIVERS\ndiswan.sys	Disabled
0x1ff2568	0xf8a0a000	0x5000	watchdog.sys	\SystemRoot\System32\watchdog.sys	Disabled
0x1ff3338	0xbf9c3000	0x12000	dxg.sys	\SystemRoot\System32\drivers\dxg.sys	Disabled
0x1ff5630	0xf8cba000	0x1000	dxgthk.sys	\SystemRoot\System32\drivers\dxgthk.sys	Disabled
0x1ffb8c8	0xf6110000	0x41000	HTTP.sys	\SystemRoot\System32\Drivers\HTTP.sys	Disabled
0x2009670	0xf698e000	0x70000	mrxsmb.sys	\SystemRoot\system32\DRIVERS\mrxsmb.sys	Disabled
0x2058bb8	0xbf9d5000	0x29000	vmx_fb.dll	\SystemRoot\System32\vmx_fb.dll	Disabled
0x2080740	0xf8cc4000	0x1

0x25edae0	0xf86ca000	0x9000	disk.sys	disk.sys	Disabled
0x25edb48	0xf84e5000	0x18000	SCSIPORT.SYS	\WINDOWS\System32\DRIVERS\SCSIPORT.SYS	Disabled
0x25edbb8	0xf8ab6000	0x3000	vmscsi.sys	vmscsi.sys	Disabled
0x25edc28	0xf84fd000	0x18000	atapi.sys	atapi.sys	Disabled
0x25edc90	0xf86ba000	0xd000	VolSnap.sys	VolSnap.sys	Disabled
0x25edd00	0xf8922000	0x5000	PartMgr.sys	PartMgr.sys	Disabled
0x25edd70	0xf8515000	0x26000	dmio.sys	dmio.sys	Disabled
0x25eddd8	0xf8ba0000	0x2000	dmload.sys	dmload.sys	Disabled
0x25ede48	0xf853b000	0x1f000	ftdisk.sys	ftdisk.sys	Disabled
0x25edeb8	0xf86aa000	0xb000	MountMgr.sys	MountMgr.sys	Disabled
0x25edf28	0xf891a000	0x7000	PCIIDEX.SYS	\WINDOWS\system32\drivers\PCIIDEX.SYS	Disabled
0x25edf98	0xf8b9e000	0x2000	intelide.sys	intelide.sys	Disabled
0x25fc050	0xf8aae000	0x3000	compbatt.sys	compbatt.sys	Disabled
0x25fc0c0	0xf869a000	0xa000	isapnp.sys	isapnp.sys	Disabled
0x25fc130	0xf855a000	0x11000	pci.sys	pci.sys	Disabled
0x25fc198	0xf8b9c000	0x2000	WMILIB.SYS	\WINDOWS\syst

## moddump

In [27]:
 python ../volatility3/vol.py -q -o dump -f E:\APT.img  windows.modules.Modules --dump

Volatility 3 Framework 1.2.1

Offset	Base	Size	Name	Path	File output

0x823fc3b0	0x804d7000	0x1f8680	ntoskrnl.exe	\WINDOWS\system32\ntkrnlpa.exe	ntkrnlpa.exe.0x823fc3b0.0x804d7000.dmp
0x823fc348	0x806d0000	0x20300	hal.dll	\WINDOWS\system32\hal.dll	hal.dll.0x823fc348.0x806d0000.dmp
0x823fc2e0	0xf8b9a000	0x2000	kdcom.dll	\WINDOWS\system32\KDCOM.DLL	KDCOM.DLL.0x823fc2e0.0xf8b9a000.dmp
0x823fc270	0xf8aaa000	0x3000	BOOTVID.dll	\WINDOWS\system32\BOOTVID.dll	BOOTVID.dll.0x823fc270.0xf8aaa000.dmp
0x823fc208	0xf856b000	0x2e000	ACPI.sys	ACPI.sys	ACPI.sys.0x823fc208.0xf856b000.dmp
0x823fc198	0xf8b9c000	0x2000	WMILIB.SYS	\WINDOWS\system32\DRIVERS\WMILIB.SYS	WMILIB.SYS.0x823fc198.0xf8b9c000.dmp
0x823fc130	0xf855a000	0x11000	pci.sys	pci.sys	pci.sys.0x823fc130.0xf855a000.dmp
0x823fc0c0	0xf869a000	0xa000	isapnp.sys	isapnp.sys	isapnp.sys.0x823fc0c0.0xf869a000.dmp
0x823fc050	0xf8aae000	0x3000	compbatt.sys	compbatt.sys	compbatt.sys.0x823fc050.0xf8aae000.dmp
0x823ed008	0xf8ab2000	0x4000	BATTC.SYS	\WINDOWS

0x82317470	0xf89c2000	0x5000	Msfs.SYS	\SystemRoot\System32\Drivers\Msfs.SYS	Msfs.SYS.0x82317470.0xf89c2000.dmp
0x82317240	0xf89ca000	0x8000	Npfs.SYS	\SystemRoot\System32\Drivers\Npfs.SYS	Npfs.SYS.0x82317240.0xf89ca000.dmp
0x82312808	0xf838f000	0x3000	rasacd.sys	\SystemRoot\system32\DRIVERS\rasacd.sys	rasacd.sys.0x82312808.0xf838f000.dmp
0x821abdf8	0xf6b10000	0x13000	ipsec.sys	\SystemRoot\system32\DRIVERS\ipsec.sys	ipsec.sys.0x821abdf8.0xf6b10000.dmp
0x821ab940	0xf6ab7000	0x59000	tcpip.sys	\SystemRoot\system32\DRIVERS\tcpip.sys	tcpip.sys.0x821ab940.0xf6ab7000.dmp
0x821ab4f8	0xf6a8f000	0x28000	netbt.sys	\SystemRoot\system32\DRIVERS\netbt.sys	netbt.sys.0x821ab4f8.0xf6a8f000.dmp
0x821a0b40	0xf838b000	0x3000	ws2ifsl.sys	\SystemRoot\System32\drivers\ws2ifsl.sys	ws2ifsl.sys.0x821a0b40.0xf838b000.dmp
0x821ab120	0xf6a6d000	0x22000	afd.sys	\SystemRoot\System32\drivers\afd.sys	afd.sys.0x821ab120.0xf6a6d000.dmp
0x8219f9d8	0xf889a000	0x9000	netbios.sys	\SystemRoot\system32\DRIVERS\netbios.sys	netbi

Review the dumped modules in your tools on your VM, remember it is not named `irykmmww.sys` but `driver.f836f000.sys`