Volatility 3 Framework 1.0.1 PID Process Args 4 System Required memory at 0x10 is not valid (process exited?) 396 smss.exe \SystemRoot\System32\smss.exe 460 csrss.exe C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 500 wininit.exe wininit.exe 584 services.exe C:\Windows\system32\services.exe 600 lsass.exe C:\Windows\system32\lsass.exe 608 lsm.exe C:\Windows\system32\lsm.exe 760 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch 824 svchost.exe C:\Windows\system32\svchost.exe -k rpcss 856 svchost.exe C:\Windows\System32\svchost.exe -k secsvcs 988 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted 1016 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted 1032 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs 1084 audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x288 1108 svchost.exe C:\Windows\system32\svchost.exe -k GPSvcGroup 1132 SLsvc.exe C:\Windows\system32\SLsvc.exe 1224 svchost.exe C:\Windows\system32\svchost.exe -k LocalService 1296 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService 1488 spoolsv.exe C:\Windows\System32\spoolsv.exe 1512 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork 1920 taskeng.exe taskeng.exe {7EC134E2-8BEF-46AF-94C8-8C16150FAB71} 496 svchost.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted 1316 VMwareService.e "C:\Program Files\VMware\VMware Tools\VMwareService.exe" 1444 svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup 2028 SearchIndexer.e C:\Windows\system32\SearchIndexer.exe /Embedding 1356 dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{D34C07AA-275B-496E-A3CC-AFA75F2752EE} 1796 dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} 2076 csrss.exe C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 2100 winlogon.exe winlogon.exe 2176 msdtc.exe C:\Windows\System32\msdtc.exe 2392 VSSVC.exe C:\Windows\system32\vssvc.exe 2504 taskeng.exe taskeng.exe {7F495FBC-66B3-4B6A-A068-DC3607159EB1} 2864 dwm.exe "C:\Windows\system32\Dwm.exe" 2884 explorer.exe C:\Windows\Explorer.EXE 2992 MSASCui.exe "C:\Program Files\Windows Defender\MSASCui.exe" -hide 3000 VMwareTray.exe "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" 3008 VMwareUser.exe "C:\Program Files\VMware\VMware Tools\VMwareUser.exe" 3076 sidebar.exe "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun 3576 cmd.exe "C:\Windows\System32\cmd.exe" 3804 SearchProtocolH "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" 3828 SearchFilterHos "C:\Windows\system32\SearchFilterHost.exe" 0 628 632 640 65536 636 3868 SearchProtocolH "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_s-1-5-21-285957352-2877602163-2811336752-10002_ Global\UsGthrCtrlFltPipeMssGthrPipe_s-1-5-21-285957352-2877602163-2811336752-10002 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1" 3968 telnet.exe telnet towel.blinkenlights.nl 536 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe