Room Banner

Forensics

This is a memory dump of compromised system, do some forensics kung-fu to explore the inside.

hard

60 min

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Volatility forensics

This is a memory dump of the infected system. Download the file attached to this Task.

The MD5 hash of the uncompressed file is: ba44c4b977d28132faeb5fb8b06debce

Answer the questions below

Download the victim.zip

What is the Operating System of this Dump file? (OS name)

What is the PID of SearchIndexer?

What is the last directory accessed by the user?

(The last folder name as it is?)

Dig a little more...

Answer the questions below

There are many suspicious open ports; which one is it? (ANSWER format: protocol:port)

Vads tag and execute protection are strong indicators of malicious processes; can you find which they are? (ANSWER format: Pid1;Pid2;Pid3) 

In the previous task, you identified malicious processes, so let's dig into them and find some Indicator of Compromise (IOC). You just need to find them and fill in the blanks (You may search for them on VirusTotal to discover more details).

Answer the questions below

'www.go****.ru' (write full url without any quotation marks)

'www.i****.com' (write full url without any quotation marks)

'www.ic******.com'

202.***.233.*** (Write full IP)

***.200.**.164 (Write full IP)

209.190.***.***

What is the unique environmental variable of PID 2464?

Created by

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

4,235

Created

2296 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more