Sysinternals and Cyber Triage - termcap/cybersecurity GitHub Wiki

use autoruns.exe -> highjacks to see if any image has been hijacked

Virtual memory - The virtual memory manager allocates memory to a process in such a form that from the processes point of view it starts memory location 0. Basically the physical memory is virtualized such that each processes gets the impression that it starts at location 0.

A program is the piece of code that the programmer writes, the program when loaded into memory becomes a process which is basically a sandbox of virtual memory allocated to that process, the process does not run, but the threads are the actual things that run. Threads are scheduled and given time slices to run on the CPU. On multicore CPUs a particular thread may run on one core whereas another thread may run on another core.

So when a program crashes or malfunctions, its actually one of the threads that is problem that must be isolated.

use winmd5free and strings to create (indicators of compromise)IOCs like hash of the file, size of the file and specific strings from the output of strings, then search for these IOCs like the hash of file on alienvault etc