I am new to malware analysis. I recently ran Volatility "malware" and obtained a listing of processes that have one problem or another as it is related to malware. I took one of these processes and in following instructions in the "Malware Analyst's Cookbook" regarding researching IAT's, extracted the process' executable via Volatility's "procexedump". I then compared all of the DLLs in the VAD to the PEB and noted three DLLs not in the PEB. I then compared the DLLs in the VAD to the extracted file opened via CFF Explorer. What I do not understand is why CFF Explorer only shows me two DLLs when there is 70 in the address space. CFF Explorer shows me two of these 70 in it's import address table. When I use PEBrowse64, I see the same two DLLs. Most of these are present in the PEB so they were loaded when the process was started. I'm confused.