Volatility 3 Framework 1.0.1

PID	Process	Start VPN	End VPN	Tag	Protection	CommitCharge	PrivateMemory	File output	Hexdump	Disasm

1556	explorer.exe	0x3130000	0x3130fff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 13 03 00 00 00 00	........
00 00 00 00 00 00 00 00	........
10 00 13 03 00 00 00 00	........
00 00 00 00 00 00 00 00	........
20 00 13 03 00 00 00 00	........
00 00 00 00 00 00 00 00	........	
0x3130000:	add	byte ptr [eax], al
0x3130002:	add	byte ptr [eax], al
0x3130004:	add	byte ptr [eax], al
0x3130006:	add	byte ptr [eax], al
0x3130008:	add	byte ptr [eax], al
0x313000a:	add	byte ptr [eax], al
0x313000c:	add	byte ptr [eax], al
0x313000e:	add	byte ptr [eax], al
0x3130010:	add	byte ptr [eax], al
0x3130012:	adc	eax, dword ptr [ebx]
0x3130014:	add	byte ptr [eax], al
0x3130016:	add	byte ptr [eax], al
0x3130018:	add	byte ptr [eax], al
0x313001a:	add	byte ptr [eax], al
0x313001c:	add	byte ptr [eax], al
0x313001e:	add	byte ptr [eax], al
0x3130020:	adc	byte ptr [eax], al
0x3130022:	adc	eax, dword ptr [ebx]
0x3130024:	add	byte ptr [eax], al
0x3130026:	add	byte ptr [eax], al
0x3130028:	add	byte ptr [eax], al
0x313002a:	add	byte ptr [eax], al
0x313002c:	add	byte ptr [eax], al
0x313002e:	add	byte ptr [eax], al
0x3130030:	and	byte ptr [eax], al
0x3130032:	adc	eax, dword ptr [ebx]
0x3130034:	add	byte ptr [eax], al
0x3130036:	add	byte ptr [eax], al
0x3130038:	add	byte ptr [eax], al
0x313003a:	add	byte ptr [eax], al
0x313003c:	add	byte ptr [eax], al
0x313003e:	add	byte ptr [eax], al
2460	SearchFilterHo	0x730000	0x76ffff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
c5 2f 31 e7 87 c4 00 01	./1.....
ee ff ee ff 00 00 00 00	........
a8 00 73 00 a8 00 73 00	..s...s.
00 00 73 00 00 00 73 00	..s...s.
40 00 00 00 88 05 73 00	@.....s.
00 00 77 00 3f 00 00 00	..w.?...
01 00 00 00 00 00 00 00	........
f0 0f 73 00 f0 0f 73 00	..s...s.	
0x730000:	lds	ebp, ptr [edi]
0x730002:	xor	edi, esp
0x730004:	xchg	esp, eax
0x730006:	add	byte ptr [ecx], al
0x730008:	out	dx, al
2856	explorer.exe	0x16e0000	0x16e0fff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 6e 01 00 00 00 00	..n.....
00 00 00 00 00 00 00 00	........
10 00 6e 01 00 00 00 00	..n.....
00 00 00 00 00 00 00 00	........
20 00 6e 01 00 00 00 00	..n.....
00 00 00 00 00 00 00 00	........	
0x16e0000:	add	byte ptr [eax], al
0x16e0002:	add	byte ptr [eax], al
0x16e0004:	add	byte ptr [eax], al
0x16e0006:	add	byte ptr [eax], al
0x16e0008:	add	byte ptr [eax], al
0x16e000a:	add	byte ptr [eax], al
0x16e000c:	add	byte ptr [eax], al
0x16e000e:	add	byte ptr [eax], al
0x16e0010:	add	byte ptr [eax], al
0x16e0012:	outsb	dx, byte ptr [esi]
0x16e0013:	add	dword ptr [eax], eax
0x16e0015:	add	byte ptr [eax], al
0x16e0017:	add	byte ptr [eax], al
0x16e0019:	add	byte ptr [eax], al
0x16e001b:	add	byte ptr [eax], al
0x16e001d:	add	byte ptr [eax], al
0x16e001f:	add	byte ptr [eax], dl
0x16e0021:	add	byte ptr [esi + 1], ch
0x16e0024:	add	byte ptr [eax], al
0x16e0026:	add	byte ptr [eax], al
0x16e0028:	add	byte ptr [eax], al
0x16e002a:	add	byte ptr [eax], al
0x16e002c:	add	byte ptr [eax], al
0x16e002e:	add	byte ptr [eax], al
0x16e0030:	and	byte ptr [eax], al
0x16e0032:	outsb	dx, byte ptr [esi]
0x16e0033:	add	dword ptr [eax], eax
0x16e0035:	add	byte ptr [eax], al
0x16e0037:	add	byte ptr [eax], al
0x16e0039:	add	byte ptr [eax], al
0x16e003b:	add	byte ptr [eax], al
0x16e003d:	add	byte ptr [eax], al
2856	explorer.exe	0x38d0000	0x38d1fff	VadS	PAGE_EXECUTE_READWRITE	2	1	Disabled	
b0 00 eb 70 b0 01 eb 6c	...p...l
b0 02 eb 68 b0 03 eb 64	...h...d
b0 04 eb 60 b0 05 eb 5c	...`...\
b0 06 eb 58 b0 07 eb 54	...X...T
b0 08 eb 50 b0 09 eb 4c	...P...L
b0 0a eb 48 b0 0b eb 44	...H...D
b0 0c eb 40 b0 0d eb 3c	...@...<
b0 0e eb 38 b0 0f eb 34	...8...4	
0x38d0000:	mov	al, 0
0x38d0002:	jmp	0x38d0074
0x38d0004:	mov	al, 1
0x38d0006:	jmp	0x38d0074
0x38d0008:	mov	al, 2
0x38d000a:	jmp	0x38d0074
0x38d000c:	mov	al, 3
0x38d000e:	jmp	0x38d0074
0x38d0010:	mov	al, 4
0x38d0012:	jmp	0x38d0074
0x38d0014:	mov	al, 5
0x38d0016:	jmp	0x38d0074
0x38d0018:	mov	al, 6
0x38d001a:	jmp	0x38d0074
0x38d001c:	mov	al, 7
0x38d001e:	jmp	0x38d0074
0x38d0020:	mov	al, 8
0x38d0022:	jmp	0x38d0074
0x38d0024:	mov	al, 9
0x38d0026:	jmp	0x38d0074
0x38d0028:	mov	al, 0xa
0x38d002a:	jmp	0x38d0074
0x38d002c:	mov	al, 0xb
0x38d002e:	jmp	0x38d0074
0x38d0030:	mov	al, 0xc
0x38d0032:	jmp	0x38d0074
0x38d0034:	mov	al, 0xd
0x38d0036:	jmp	0x38d0074
0x38d0038:	mov	al, 0xe
0x38d003a:	jmp	0x38d0074
0x38d003c:	mov	al, 0xf
0x38d003e:	jmp	0x38d0074
3324	iexplore.exe	0x1fd0000	0x1fd1fff	VadS	PAGE_EXECUTE_READWRITE	2	1	Disabled	
b0 00 eb 70 b0 01 eb 6c	...p...l
b0 02 eb 68 b0 03 eb 64	...h...d
b0 04 eb 60 b0 05 eb 5c	...`...\
b0 06 eb 58 b0 07 eb 54	...X...T
b0 08 eb 50 b0 09 eb 4c	...P...L
b0 0a eb 48 b0 0b eb 44	...H...D
b0 0c eb 40 b0 0d eb 3c	...@...<
b0 0e eb 38 b0 0f eb 34	...8...4	
0x1fd0000:	mov	al, 0
0x1fd0002:	jmp	0x1fd0074
0x1fd0004:	mov	al, 1
0x1fd0006:	jmp	0x1fd0074
0x1fd0008:	mov	al, 2
0x1fd000a:	jmp	0x1fd0074
0x1fd000c:	mov	al, 3
0x1fd000e:	jmp	0x1fd0074
0x1fd0010:	mov	al, 4
0x1fd0012:	jmp	0x1fd0074
0x1fd0014:	mov	al, 5
0x1fd0016:	jmp	0x1fd0074
0x1fd0018:	mov	al, 6
0x1fd001a:	jmp	0x1fd0074
0x1fd001c:	mov	al, 7
0x1fd001e:	jmp	0x1fd0074
0x1fd0020:	mov	al, 8
0x1fd0022:	jmp	0x1fd0074
0x1fd0024:	mov	al, 9
0x1fd0026:	jmp	0x1fd0074
0x1fd0028:	mov	al, 0xa
0x1fd002a:	jmp	0x1fd0074
0x1fd002c:	mov	al, 0xb
0x1fd002e:	jmp	0x1fd0074
0x1fd0030:	mov	al, 0xc
0x1fd0032:	jmp	0x1fd0074
0x1fd0034:	mov	al, 0xd
0x1fd0036:	jmp	0x1fd0074
0x1fd0038:	mov	al, 0xe
0x1fd003a:	jmp	0x1fd0074
0x1fd003c:	mov	al, 0xf
0x1fd003e:	jmp	0x1fd0074
3324	iexplore.exe	0x3030000	0x3030fff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 03 03 00 00 00 00	........
00 00 00 00 00 00 00 00	........
10 00 03 03 00 00 00 00	........
00 00 00 00 00 00 00 00	........
20 00 03 03 00 00 00 00	........
00 00 00 00 00 00 00 00	........	
0x3030000:	add	byte ptr [eax], al
0x3030002:	add	byte ptr [eax], al
0x3030004:	add	byte ptr [eax], al
0x3030006:	add	byte ptr [eax], al
0x3030008:	add	byte ptr [eax], al
0x303000a:	add	byte ptr [eax], al
0x303000c:	add	byte ptr [eax], al
0x303000e:	add	byte ptr [eax], al
0x3030010:	add	byte ptr [eax], al
0x3030012:	add	eax, dword ptr [ebx]
0x3030014:	add	byte ptr [eax], al
0x3030016:	add	byte ptr [eax], al
0x3030018:	add	byte ptr [eax], al
0x303001a:	add	byte ptr [eax], al
0x303001c:	add	byte ptr [eax], al
0x303001e:	add	byte ptr [eax], al
0x3030020:	adc	byte ptr [eax], al
0x3030022:	add	eax, dword ptr [ebx]
0x3030024:	add	byte ptr [eax], al
0x3030026:	add	byte ptr [eax], al
0x3030028:	add	byte ptr [eax], al
0x303002a:	add	byte ptr [eax], al
0x303002c:	add	byte ptr [eax], al
0x303002e:	add	byte ptr [eax], al
0x3030030:	and	byte ptr [eax], al
0x3030032:	add	eax, dword ptr [ebx]
0x3030034:	add	byte ptr [eax], al
0x3030036:	add	byte ptr [eax], al
0x3030038:	add	byte ptr [eax], al
0x303003a:	add	byte ptr [eax], al
0x303003c:	add	byte ptr [eax], al
0x303003e:	add	byte ptr [eax], al
3324	iexplore.exe	0x5fff0000	0x5fffffff	VadS	PAGE_EXECUTE_READWRITE	16	1	Disabled	
64 74 72 52 00 00 00 00	dtrR....
00 02 ff 5f 00 00 00 00	..._....
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........	
0x5fff0000:	je	0x5fff0075
0x5fff0003:	push	edx
0x5fff0004:	add	byte ptr [eax], al
0x5fff0006:	add	byte ptr [eax], al
0x5fff0008:	add	byte ptr [edx], al
0x5fff000a:	lcall	[edi]
0x5fff000d:	add	byte ptr [eax], al
0x5fff000f:	add	byte ptr [eax], al
0x5fff0011:	add	byte ptr [eax], al
0x5fff0013:	add	byte ptr [eax], al
0x5fff0015:	add	byte ptr [eax], al
0x5fff0017:	add	byte ptr [eax], al
0x5fff0019:	add	byte ptr [eax], al
0x5fff001b:	add	byte ptr [eax], al
0x5fff001d:	add	byte ptr [eax], al
0x5fff001f:	add	byte ptr [eax], al
0x5fff0021:	add	byte ptr [eax], al
0x5fff0023:	add	byte ptr [eax], al
0x5fff0025:	add	byte ptr [eax], al
0x5fff0027:	add	byte ptr [eax], al
0x5fff0029:	add	byte ptr [eax], al
0x5fff002b:	add	byte ptr [eax], al
0x5fff002d:	add	byte ptr [eax], al
0x5fff002f:	add	byte ptr [eax], al
0x5fff0031:	add	byte ptr [eax], al
0x5fff0033:	add	byte ptr [eax], al
0x5fff0035:	add	byte ptr [eax], al
0x5fff0037:	add	byte ptr [eax], al
0x5fff0039:	add	byte ptr [eax], al
0x5fff003b:	add	byte ptr [eax], al
0x5fff003d:	add	byte ptr [eax], al
3344	iexplore.exe	0x25c0000	0x25c1fff	VadS	PAGE_EXECUTE_READWRITE	2	1	Disabled	
b0 00 eb 70 b0 01 eb 6c	...p...l
b0 02 eb 68 b0 03 eb 64	...h...d
b0 04 eb 60 b0 05 eb 5c	...`...\
b0 06 eb 58 b0 07 eb 54	...X...T
b0 08 eb 50 b0 09 eb 4c	...P...L
b0 0a eb 48 b0 0b eb 44	...H...D
b0 0c eb 40 b0 0d eb 3c	...@...<
b0 0e eb 38 b0 0f eb 34	...8...4	
0x25c0000:	mov	al, 0
0x25c0002:	jmp	0x25c0074
0x25c0004:	mov	al, 1
0x25c0006:	jmp	0x25c0074
0x25c0008:	mov	al, 2
0x25c000a:	jmp	0x25c0074
0x25c000c:	mov	al, 3
0x25c000e:	jmp	0x25c0074
0x25c0010:	mov	al, 4
0x25c0012:	jmp	0x25c0074
0x25c0014:	mov	al, 5
0x25c0016:	jmp	0x25c0074
0x25c0018:	mov	al, 6
0x25c001a:	jmp	0x25c0074
0x25c001c:	mov	al, 7
0x25c001e:	jmp	0x25c0074
0x25c0020:	mov	al, 8
0x25c0022:	jmp	0x25c0074
0x25c0024:	mov	al, 9
0x25c0026:	jmp	0x25c0074
0x25c0028:	mov	al, 0xa
0x25c002a:	jmp	0x25c0074
0x25c002c:	mov	al, 0xb
0x25c002e:	jmp	0x25c0074
0x25c0030:	mov	al, 0xc
0x25c0032:	jmp	0x25c0074
0x25c0034:	mov	al, 0xd
0x25c0036:	jmp	0x25c0074
0x25c0038:	mov	al, 0xe
0x25c003a:	jmp	0x25c0074
0x25c003c:	mov	al, 0xf
0x25c003e:	jmp	0x25c0074
3344	iexplore.exe	0x5fff0000	0x5fffffff	VadS	PAGE_EXECUTE_READWRITE	16	1	Disabled	
64 74 72 52 00 00 00 00	dtrR....
20 03 ff 5f 00 00 00 00	..._....
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........
00 00 00 00 00 00 00 00	........	
0x5fff0000:	je	0x5fff0075
0x5fff0003:	push	edx
0x5fff0004:	add	byte ptr [eax], al
0x5fff0006:	add	byte ptr [eax], al
0x5fff0008:	and	byte ptr [ebx], al
0x5fff000a:	lcall	[edi]
0x5fff000d:	add	byte ptr [eax], al
0x5fff000f:	add	byte ptr [eax], al
0x5fff0011:	add	byte ptr [eax], al
0x5fff0013:	add	byte ptr [eax], al
0x5fff0015:	add	byte ptr [eax], al
0x5fff0017:	add	byte ptr [eax], al
0x5fff0019:	add	byte ptr [eax], al
0x5fff001b:	add	byte ptr [eax], al
0x5fff001d:	add	byte ptr [eax], al
0x5fff001f:	add	byte ptr [eax], al
0x5fff0021:	add	byte ptr [eax], al
0x5fff0023:	add	byte ptr [eax], al
0x5fff0025:	add	byte ptr [eax], al
0x5fff0027:	add	byte ptr [eax], al
0x5fff0029:	add	byte ptr [eax], al
0x5fff002b:	add	byte ptr [eax], al
0x5fff002d:	add	byte ptr [eax], al
0x5fff002f:	add	byte ptr [eax], al
0x5fff0031:	add	byte ptr [eax], al
0x5fff0033:	add	byte ptr [eax], al
0x5fff0035:	add	byte ptr [eax], al
0x5fff0037:	add	byte ptr [eax], al
0x5fff0039:	add	byte ptr [eax], al
0x5fff003b:	add	byte ptr [eax], al
0x5fff003d:	add	byte ptr [eax], al
2700	powershell.exe	0x1100000	0x113ffff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
f2 44 93 9f 1e 46 00 01	.D...F..
ee ff ee ff 00 00 00 00	........
a8 00 10 01 a8 00 10 01	........
00 00 10 01 00 00 10 01	........
40 00 00 00 88 05 10 01	@.......
00 00 14 01 3f 00 00 00	....?...
01 00 00 00 00 00 00 00	........
f0 0f 10 01 f0 0f 10 01	........	
0x1100000:	inc	esp
0x1100002:	xchg	eax, ebx
0x1100003:	lahf	
0x1100004:	push	ds
0x1100005:	inc	esi
0x1100006:	add	byte ptr [ecx], al
0x1100008:	out	dx, al
2700	powershell.exe	0x1b10000	0x1b4ffff	VadS	PAGE_EXECUTE_READWRITE	4	1	Disabled	
fb e8 fc 8b e3 61 00 01	.....a..
ee ff ee ff 00 00 00 00	........
a8 00 b1 01 a8 00 b1 01	........
00 00 b1 01 00 00 b1 01	........
40 00 00 00 88 05 b1 01	@.......
00 00 b5 01 3c 00 00 00	....<...
01 00 00 00 00 00 00 00	........
f0 3f b1 01 f0 3f b1 01	.?...?..	
0x1b10000:	sti	
0x1b10001:	call	0x63948c02
0x1b10006:	add	byte ptr [ecx], al
0x1b10008:	out	dx, al
2700	powershell.exe	0x7ff50000	0x7ff5ffff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
00 00 00 00 97 19 00 00	........
00 00 00 00 0e 00 00 00	........
68 00 00 00 00 e9 b2 38	h......8
bc 81 68 01 00 00 00 e9	..h.....
a8 38 bc 81 68 02 00 00	.8..h...
00 e9 9e 38 bc 81 68 03	...8..h.
00 00 00 e9 94 38 bc 81	.....8..
68 04 00 00 00 e9 8a 38	h......8	
0x7ff50000:	add	byte ptr [eax], al
0x7ff50002:	add	byte ptr [eax], al
0x7ff50004:	xchg	eax, edi
0x7ff50005:	sbb	dword ptr [eax], eax
0x7ff50007:	add	byte ptr [eax], al
0x7ff50009:	add	byte ptr [eax], al
0x7ff5000b:	add	byte ptr [esi], cl
0x7ff5000d:	add	byte ptr [eax], al
0x7ff5000f:	add	byte ptr [eax], ch
0x7ff50012:	add	byte ptr [eax], al
0x7ff50014:	add	cl, ch
0x7ff50016:	mov	dl, 0x38
0x7ff50018:	mov	esp, 0x16881
0x7ff5001d:	add	byte ptr [eax], al
0x7ff5001f:	jmp	0x1b138cc
0x7ff50024:	push	2
0x7ff50029:	jmp	0x1b138cc
0x7ff5002e:	push	3
0x7ff50033:	jmp	0x1b138cc
0x7ff50038:	push	4
2700	powershell.exe	0x7ff60000	0x7ffaffff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
ec ff ff ff 04 00 00 00	........
01 00 00 00 00 00 08 01	........
1c 00 00 00 15 00 0e 00	........
0e 00 00 00 64 09 ab 6a	....d..j
00 10 84 6a 5c 70 86 6a	...j\p.j
2c 30 84 6a 00 00 00 00	,0.j....
00 00 00 00 10 00 f5 7f	........
1a 00 f5 7f 24 00 f5 7f	....$...	
0x7ff60000:	in	al, dx