3615 Inc1d3n7 (1)
C47360ry: F0r3n51c
P01n75: 127
D35cr1p710n: Un3 v1c71m3 d3 plu5 70m8é3 50u5 l3 c0up d’un r4nç0n61c13l. L3 p413m3n7 d3 l4 r4nç0n n’357 p45 3nv1546é3 vu l3 m0n74n7 d3m4ndé. V0u5 ê735 4pp3lé p0ur 3554y3r d3 r3574ur3r l35 f1ch13r5 ch1ffré5. Un3 5u173 d’élém3n75 357 néc35541r3 p0ur 4v4nc3r d4n5 l’1nv357164710n 37 c0n5717u3r l3 r4pp0r7 d’1nc1d3n7. P0ur c0mm3nc3r, qu3l 357 l3 n0m du f1ch13r 3xécu748l3 d3 c3 r4nç0n61c13l, 50n 1d3n71f14n7 d3 pr0c355u5 37 qu3l 357 d3v3nu l3 n0m du f1ch13r fl46.d0cx un3 f015 ch1ffré ? D0nn3z l3 SHA1 d3 c3 n0m 4v3c 50n 3x73n510n. N073 : l’1m463 d15qu3 f417 3nv1r0n 440 M0 c0mpr355é3 37 3nv1r0n 1.4 G0 déc0mpr355é3. Rép0n53 4773ndu3 4u f0rm47 ECSC{n0m_du_r4nç0n61c13l.3x3:P1D:5h41}.
F1l35: mem.dmp
TL;DR
T0 kn0w wh47 h4pp3n3d w3 l00k 47 7h3 c0mm4nd5 7h47 w3r3 3x3cu73d. Th15 4ll0w5 u5 70 1d3n71fy 7h3 1nf0rm4710n n33d3d 70 r3c0n57ruc7 7h3 fl46.
M37h0d0l06y
F1r57 0f 4ll, w3 l00k 47 wh47 7yp3 0f f1l3 w3 4r3 d34l1n6 w17h.
>_ file mem.dmp
mem.dmp: MS Windows 64bit crash dump, full dump, 344794 pagesW3 h4v3 4 W1nd0w5 m3m0ry dump. L37'5 60 533 1n m0r3 d3741l w17h V0l471l17y wh47 17 c0n741n5.
Th3 f1r57 7h1n6 70 d0 w17h V0l471l17y 15 0f c0ur53 1m4631nf0.
>_ volatility -f mem.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
Suggested Profile(s) : Win10x64_17134, Win10x64_10240_17770, Win10x64_10586, Win10x64_14393, Win10x64, Win2016x64_14393, Win10x64_16299, Win10x64_15063 (Instantiated with Win10x64_15063)
AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
AS Layer2 : WindowsCrashDumpSpace64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/lambdhack/ctf/ecsc/forensic/3615_incident/mem.dmp)
PAE type : No PAE
DTB : 0x1ab000L
KDBG : 0xf801f433ba60L
Number of Processors : 2
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff801f4394000L
KPCR for CPU 1 : 0xffffd0012eb07000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2019-05-08 20:04:11 UTC+0000
Image local date and time : 2019-05-08 22:04:11 +0200Th3 W1n10x64 pr0f1l3 533m5 7h3 m057 5u1748l3.
N0w w3 l00k 47 7h3 0n601n6 pr0c35535.
>_ volatility -f mem.dmp --profile=Win10x64 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xffffe0000f65a040 -------------------- 4 0 30...6 0 ------ 0 2019-05-08 19:57:03 UTC+0000
0xffffe00010e4b040 ?t? 256 4 28...4 0 ------ 0 2019-05-08 19:57:03 UTC+0000
0xffffe00010ef2080 ??? 360 348 30...2 0 0 0 2019-05-08 19:57:05 UTC+0000
0xffffe00011302080 ?/ 472 348 28...4 0 0 0 2019-05-08 19:57:05 UTC+0000
0xffffe00011305180 ?@0 480 464 30...2 0 1 0 2019-05-08 19:57:05 UTC+0000
0xffffe00011344080 ?4 544 464 30...2 0 1 0 2019-05-08 19:57:05 UTC+0000
0xffffe00011399840 0?9 592 472 29...6 0 0 0 2019-05-08 19:57:05 UTC+0000
0xffffe000113a2840 P?5 604 472 30...8 0 0 0 2019-05-08 19:57:05 UTC+0000
0xffffe000113dd480 ?= 684 592 29...6 0 0 0 2019-05-08 19:57:05 UTC+0000
0xffffe000113f2180 ?)? 740 592 29...8 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe00011739080 ??s 836 544 30...8 0 1 0 2019-05-08 19:57:06 UTC+0000
0xffffe00011779840 ?v 944 592 27...4 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe00011789840 `"x 964 592 30...2 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe0001178c840 p~x 972 592 30...6 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe0001179c840 ox 1000 592 29...8 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe000117e0840 ?} 296 592 28...4 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe000117e1080 ??} 668 592 30...4 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe0000f685840 慈ཨ... 1036 592 29...6 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe0000f683840 m 1216 592 30...4 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe00011617840 d 1304 592 30...2 0 0 0 2019-05-08 19:57:06 UTC+0000
0xffffe00011cc45c0 ? 1652 592 30...4 0 0 0 2019-05-08 19:57:07 UTC+0000
0xffffe00011cf1840 ??? 1712 592 29...8 0 0 0 2019-05-08 19:57:07 UTC+0000
0xffffe00011cff840 ??? 1732 592 30...2 0 0 0 2019-05-08 19:57:07 UTC+0000
0xffffe00011d0a840 ??? 1760 592 30...6 0 0 0 2019-05-08 19:57:07 UTC+0000
0xffffe00011d1b840 J? 1776 592 27...6 0 0 0 2019-05-08 19:57:07 UTC+0000
0xffffe000115ae840 P?T 2244 684 30...4 0 0 0 2019-05-08 19:57:09 UTC+0000
0xffffe000115ac840 _\ 2308 592 26...0 0 0 0 2019-05-08 19:57:09 UTC+0000
0xffffe0000f823340 ??^ 2464 592 26...0 0 0 0 2019-05-08 19:57:10 UTC+0000
0xffffe0000f839840 ??? 2708 592 30...0 0 0 0 2019-05-08 19:57:10 UTC+0000
0xffffe00010aba840 -------------------- 2204 944 29...8 0 1 0 2019-05-08 19:57:14 UTC+0000
0xffffe00011fa8840 ?m? 2168 944 30...2 0 1 0 2019-05-08 19:57:14 UTC+0000
0xffffe00012023580 3092 684 27...2 0 1 0 2019-05-08 19:57:14 UTC+0000
0xffffe00012034080 -------------------- 3120 544 30...8 -------- 1 0 2019-05-08 19:57:14 UTC+0000
0xffffe000116e3080 ?? 3184 3120 27...6 0 1 0 2019-05-08 19:57:14 UTC+0000
0xffffe00012077240 ?@ 3220 684 31...0 0 1 1 2019-05-08 19:57:14 UTC+0000
0xffffe0001225b840 -------------------- 3444 592 27...0 0 0 0 2019-05-08 19:57:15 UTC+0000
0xffffe00011f8f7c0 -------------------- 3576 684 30...6 0 1 0 2019-05-08 19:57:15 UTC+0000
0xffffe000122aa840 @N? 4452 592 30...8 0 1 0 2019-05-08 19:57:23 UTC+0000
0xffffe00012620080 ? 4812 3184 29...4 0 1 0 2019-05-08 19:57:27 UTC+0000
0xffffe000125fb840 Pi^ 4916 684 29...6 0 0 0 2019-05-08 19:57:28 UTC+0000
0xffffe00012774080 ??v 3080 3184 30...8 0 1 1 2019-05-08 19:57:29 UTC+0000
0xffffe000125a7840 ?;3 4040 3184 27...0 0 1 1 2019-05-08 19:59:06 UTC+0000
0xffffe000125f7840 ??- 4896 4040 31...8 0 1 1 2019-05-08 19:59:07 UTC+0000
0xffffe00010385080 @3 4736 4040 27...0 0 1 1 2019-05-08 19:59:08 UTC+0000
0xffffe00010347080 -------------------- 3744 4040 27...6 0 1 1 2019-05-08 19:59:09 UTC+0000
0xffffe00011196080 -------------------- 3256 4040 31...4 0 1 1 2019-05-08 19:59:11 UTC+0000
0xffffe00011f8b080 ?d 5060 3444 30...2 0 0 0 2019-05-08 19:59:31 UTC+0000
0xffffe000127446c0 -------------------- 5084 4040 30...6 -------- 1 1 2019-05-08 19:59:33 UTC+0000
0xffffe00012155200 ?? 1360 4040 30...0 0 1 1 2019-05-08 19:59:42 UTC+0000
0xffffe00012530080 ??E 3248 4932 28...4 0 0 0 2019-05-08 19:59:43 UTC+0000
0xffffe000125b8080 @TX 3888 684 27...2 0 1 0 2019-05-08 20:00:03 UTC+0000
0xffffe000126d3080 ??} 2624 964 29...8 0 0 0 2019-05-08 20:00:15 UTC+0000
0xffffe000106bb840 ? 5208 3184 29...0 0 1 1 2019-05-08 20:00:16 UTC+0000
0xffffe00010335080 ?l 5224 5208 26...8 0 1 0 2019-05-08 20:00:16 UTC+0000
0xffffe00012268100 0S? 5444 3184 30...0 0 1 0 2019-05-08 20:00:29 UTC+0000
0xffffe0001214e080 -------------------- 5496 3184 27...6 -------- 1 1 2019-05-08 20:00:33 UTC+0000
0xffffe00012910080 ??y 5792 592 27...6 0 0 0 2019-05-08 20:00:58 UTC+0000
0xffffe00012854840 ?|
5840 3184 30...4 0 1 0 2019-05-08 20:01:01 UTC+0000
0xffffe000126b7840 `?@ 6100 296 29...8 0 0 0 2019-05-08 20:01:27 UTC+0000
0xffffe0001287a840 ??N 5176 3184 27...8 0 1 1 2019-05-08 20:01:49 UTC+0000
0xffffe00010441600 ??n 3192 944 30...2 0 1 0 2019-05-08 20:02:15 UTC+0000
0xffffe000123e21c0 ?? 4320 3444 30...8 0 0 0 2019-05-08 20:02:52 UTC+0000
0xffffe0001051c840 ??X 5596 3184 27...8 0 1 0 2019-05-08 20:04:09 UTC+0000
0xffffe0001051b080 `?` 5364 5596 28...4 0 1 0 2019-05-08 20:04:09 UTC+0000 Wh47 4r3 7h3 n4m35 0f 7h3 pr0c35535? Th3y 4r3 n0rm4lly r34d48l3.
I7 mu57 pr0848ly 83 83c4u53 0f 7h3 r4n50mw4r3.
A5 7h3r3 15 n07h1n6 70 83 641n3d fr0m 17, w3 w1ll l00k 47 7h3 c0mm4nd5 3n73r3d 1n 7h3 73rm1n4l 4nd 533 wh47 7h3 r4n50mw4r3 h45 d0n3.
>_ volatility -f mem.dmp --profile=Win10x64 cmdline
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
************************************************************************
pid: 4
************************************************************************
?t? pid: 256
Command line : \SystemRoot\System32\smss.exe
************************************************************************
??? pid: 360
Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
************************************************************************
?/ pid: 472
Command line : wininit.exe
************************************************************************
?@0 pid: 480
Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
************************************************************************
?4 pid: 544
Command line : winlogon.exe
************************************************************************
0?9 pid: 592
Command line : C:\Windows\system32\services.exe
************************************************************************
P?5 pid: 604
Command line : C:\Windows\system32\lsass.exe
************************************************************************
?= pid: 684
Command line : C:\Windows\system32\svchost.exe -k DcomLaunch
************************************************************************
?)? pid: 740
Command line : C:\Windows\system32\svchost.exe -k RPCSS
************************************************************************
??s pid: 836
Command line : "dwm.exe"
************************************************************************
?v pid: 944
Command line : C:\Windows\system32\svchost.exe -k netsvcs
************************************************************************
`"x pid: 964
Command line : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
************************************************************************
p~x pid: 972
Command line : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
************************************************************************
ox pid: 1000
Command line : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
************************************************************************
?} pid: 296
Command line : C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
************************************************************************
??} pid: 668
Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
************************************************************************
慈ཨ pid: 1036
Command line : C:\Windows\system32\svchost.exe -k LocalService
************************************************************************
m pid: 1216
Command line : C:\Windows\system32\svchost.exe -k NetworkService
************************************************************************
d pid: 1304
Command line : C:\Windows\System32\spoolsv.exe
************************************************************************
? pid: 1652
Command line : C:\Windows\System32\svchost.exe -k utcsvc
************************************************************************
??? pid: 1712
Command line : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
************************************************************************
??? pid: 1732
Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
************************************************************************
??? pid: 1760
Command line : C:\Windows\system32\svchost.exe -k appmodel
************************************************************************
J? pid: 1776
Command line : "C:\Program Files\Windows Defender\MsMpEng.exe"
************************************************************************
P?T pid: 2244
Command line : C:\Windows\system32\wbem\wmiprvse.exe
************************************************************************
_\ pid: 2308
Command line : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
************************************************************************
??^ pid: 2464
Command line : C:\Windows\System32\msdtc.exe
************************************************************************
??? pid: 2708
Command line : "C:\Program Files\Windows Defender\NisSrv.exe"
WARNING : volatility.debug : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
************************************************************************
pid: 2204
Command line : sihost.exe
************************************************************************
?m? pid: 2168
Command line : taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
************************************************************************
pid: 3092
Command line : C:\Windows\System32\RuntimeBroker.exe -Embedding
WARNING : volatility.debug : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
************************************************************************
pid: 3120
************************************************************************
?? pid: 3184
Command line : C:\Windows\Explorer.EXE
************************************************************************
?@ pid: 3220
Command line :
WARNING : volatility.debug : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
************************************************************************
pid: 3444
Command line : C:\Windows\system32\SearchIndexer.exe /Embedding
WARNING : volatility.debug : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
************************************************************************
pid: 3576
************************************************************************
@N? pid: 4452
Command line : C:\Windows\System32\svchost.exe -k UnistackSvcGroup
************************************************************************
? pid: 4812
Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
************************************************************************
Pi^ pid: 4916
Command line : C:\Windows\system32\wbem\wmiprvse.exe
************************************************************************
??v pid: 3080
Command line :
************************************************************************
?;3 pid: 4040
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
************************************************************************
??- pid: 4896
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.0.814670744\1990131067" -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 1332 gpu
************************************************************************
@3 pid: 4736
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.6.134942365\347688373" -childID 1 -isForBrowser -prefsHandle 2124 -prefMapHandle 1892 -prefsLen 1 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 1980 tab
WARNING : volatility.debug : NoneObject as string: Buffer length 47200 for _UNICODE_STRING not within bounds
************************************************************************
pid: 3744
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.13.1487111388\1473004279" -childID 2 -isForBrowser -prefsHandle 3132 -prefMapHandle 3136 -prefsLen 5418 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 3148 tab
WARNING : volatility.debug : NoneObject as string: Buffer length 5136 for _UNICODE_STRING not within bounds
************************************************************************
pid: 3256
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.20.172274201\1384691405" -childID 3 -isForBrowser -prefsHandle 3064 -prefMapHandle 3664 -prefsLen 6288 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 3732 tab
************************************************************************
?d pid: 5060
Command line : "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
WARNING : volatility.debug : NoneObject as string: Buffer length 16096 for _UNICODE_STRING not within bounds
************************************************************************
pid: 5084
************************************************************************
?? pid: 1360
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.34.980828210\1605638851" -childID 5 -isForBrowser -prefsHandle 5424 -prefMapHandle 4376 -prefsLen 6475 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 5368 tab
************************************************************************
??E pid: 3248
Command line : "C:\Program Files\Windows Defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey D107B503-2934-DB76-C339-E28DEE97615C -Reinvoke
************************************************************************
@TX pid: 3888
Command line : "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
************************************************************************
??} pid: 2624
Command line : C:\Windows\system32\AUDIODG.EXE 0xa94
************************************************************************
? pid: 5208
Command line : "C:\Users\TNKLSAI3TGT7O9\Downloads\assistance.exe"
************************************************************************
?l pid: 5224
Command line : \??\C:\Windows\system32\conhost.exe 0x4
************************************************************************
0S? pid: 5444
Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\TNKLSAI3TGT7O9\Documents\ZmxhZy5kb2N4.chiffré
WARNING : volatility.debug : NoneObject as string: Buffer length 16450 for _UNICODE_STRING not within bounds
************************************************************************
pid: 5496
************************************************************************
??y pid: 5792
Command line : C:\Windows\system32\svchost.exe -k SDRSVC
************************************************************************
?|
pid: 5840
Command line : "C:\Program Files\Windows Defender\msascui.exe"
************************************************************************
`?@ pid: 6100
Command line :
************************************************************************
??N pid: 5176
Command line : "C:\Program Files (x86)\Notepad++\notepad++.exe"
************************************************************************
??n pid: 3192
Command line : taskhostw.exe Logon
************************************************************************
?? pid: 4320
Command line : "C:\Windows\system32\SearchFilterHost.exe" 0 620 624 632 8192 628
************************************************************************
??X pid: 5596
Command line : "C:\Users\TNKLSAI3TGT7O9\DumpIt.exe"
************************************************************************
`?` pid: 5364
Command line : \??\C:\Windows\system32\conhost.exe 0x4Wh47 15 1n73r3571n6 15 7h15 p4r7:
************************************************************************
?? pid: 1360
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.34.980828210\1605638851" -childID 5 -isForBrowser -prefsHandle 5424 -prefMapHandle 4376 -prefsLen 6475 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 5368 tab
************************************************************************
??E pid: 3248
Command line : "C:\Program Files\Windows Defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey D107B503-2934-DB76-C339-E28DEE97615C -Reinvoke
************************************************************************
@TX pid: 3888
Command line : "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
************************************************************************
??} pid: 2624
Command line : C:\Windows\system32\AUDIODG.EXE 0xa94
************************************************************************
? pid: 5208
Command line : "C:\Users\TNKLSAI3TGT7O9\Downloads\assistance.exe"
************************************************************************
?l pid: 5224
Command line : \??\C:\Windows\system32\conhost.exe 0x4
************************************************************************
0S? pid: 5444
Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\TNKLSAI3TGT7O9\Documents\ZmxhZy5kb2N4.chiffré
WARNING : volatility.debug : NoneObject as string: Buffer length 16450 for _UNICODE_STRING not within bounds
************************************************************************W3 n071c3 7h47 f1r3f0x 15 runn1n6 4nd 7h47 4 f1l3 1n "C:\U53r5\TNKLSAI3TGT7O9\D0wnl04d5\4551574nc3.3x3" 15 3x3cu73d w17h p1d 5208.
Th3 u53r h45 pr0848ly d0wnl04d3d 7h3 r4n50mw4r3 4nd 3x3cu73d 17.
Th3n w3 n071c3 7h47 7h3 f1l3 "C:\U53r5\TNKLSAI3TGT7O9\D0cum3n75\ZmxhZy5k82N4.ch1ffré" 15 0p3n3d 1n n073p4d.
T0 r3c0n57ruc7 7h3 fl46 w3 h4v3 0ur 3 p4r75:
Th3 n4m3 0f 7h3 r4n50mw4r3: 4551574nc3.3x3 H15 PID: 5208 Th3 n4m3 0f 7h3 f1l3 0nc3 3ncryp73d: ZmxhZy5k82N4.ch1ffré
FLAG_IS:
ECSC{4551574nc3.3x3:5208:c94128109458361ff1381fc3ccdcdc4d333c5954}