We found some unusual activity coming from an employee’s Windows 10 workstation at De Monne Financial. Our IT guy saved the memory dump to the file provided below. What was the PID of the program used to capture the memory dump? Submit the flag as
As the challenge description states, the Zip archive contained a memory dump file named mem.raw. The given task is to identify the PID of the memory capture utility so I use Volatility to produce a process list:
$ vol.py -qf mem.raw windows.pslist.PsList
Looking though the output I find the utility as the bottom of the list, WinPmem is an Open Source memory acquisition tool.
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime Dumped 3348 784 winpmem_v3.3.r 0x87868f2e1080 5 - 1 True 2020-06-26 15:51:36.000000 N/A False
Its PID was 3348 making the complete flag,