The first of these will be the pslist plugin. The pslist command lists the current processes running in memory. This plugin outputs the offset, process name, PID, the number of threads and handles, and the date and time the process started and exited. Because the pslist plugin walks the doubly-linked list indicated by PsActiveProcessHead, it does not have the ability to detect hidden or unlinked processes. To execute the plugin, enter the following into Command Prompt:

dfir@Desktop-SFARF6G~$ volatility -f cridex_laptop.mem -profile=WinXPSP2x86 pslist

The preceding command produces the following output:

From the output, there does not appear to be anything suspicious right away. What is interesting is the reader_sl.exe executable. This stands out as a different file naming convention from the other processes. While there is no concrete data indicating that the file is malicious, it may be something to examine further.