Window Pains 3

Challenge:

Using the memory dump file from Window Pains, find out the name of the malicious process.

Submit the flag as flag{process-name_pid} (include the extension).

Example: flag{svchost.exe_1234}

Solution:

We identified the malicious process while manually reviewing the list of command line arguments for each process:

$ ~/Tools/volatility3/vol.py -qf physmemraw windows.cmdline.CmdLine

Within the generated list we observed a process executing from the temp directory:

8180	userinit.exe	C:\Windows\Temp\userinit.exe

The accepted flag was, flag{userinit.exe_8180}