Professional Documents
Culture Documents
Ans: Yes done and after that dumped memory with “dumpit.exe”.
Ans: Commands executed on ‘memory dump’ are following, and result has
been saved in .txt files (present in folder).
Kdbgscan: As opposed to imageinfo which simply provides profile suggestions, kdbgscan is
designed to positively identify the correct profile and the correct KDBG address (if there
happen to be multiple). So result was profile info.
Ans:
PID Image name & hash PPID Psexplorer/Psmoniter Malicious/benign
Sysinternals comments
2600 explorer.exe 2600 benign
d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef
2192 FoxitPhantom 2600 2192 benign
93b2ed4004ed5f7f3edefd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8
4 System 0 4 benign
272 smss.exe 4 272 benign
d8571652a044c807142ebeb317433d7c8589d7e264de2df90da61aa98fd81b83
388 csrss.exe 376 388 benign
cb1c6018fc5c15483ac5bb96e5c2e2e115bb0c0e1314837d77201bab37e8c03a
492 lsm.exe 368 492 benign
d205b2c163e78ab42a5d67d7664ef6b75ea0374ff0924467d624f9db0611f0ad
Explorer.exe is already a main process, it does not have a parent process.
I used Process Explorer to verify process PID and this tool also give option to
check its benign/malicious behavior (based on its signature) on virus-total.
Ans: I successfully dumped my project file. Its size was a little bit larger than original file.
And consequently hash was not same.