legal contact rss

getting the opened files list

To get the list of files that were opened while you were taking the dump, issue below command.

Expecially look for executeables located in directory where usually no executables reside.

vol.exe -f vaio_mem.dmp --profile=Win7SP1x64 filescan >filescan.txt

Datei "filescan.txt"

Having a look at the opened files

One should look out for executable files in areas where they usually not reside.

For example:

Finding an .EXE file in a sub folder of \program files\ does not look like an issue, but finding a mtsdlcs.exe in \Windows\temp should make you suspicious.