Window Pains 3
Volatility
Problem
Created by: syyntax
Using the memory dump file from Window Pains, find out the name of the malicious process.
Submit the flag as flag{process-name_pid} (include the extension).
Example: flag{svchost.exe_1234}
Solution
Command:
sudo vol -f physmemraw windows.pstree.PsTree
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
4 0 System 0x9a077de79040 116 - N/A False 2021-09-07 14:24:34.000000 N/A
* 372 4 smss.exe 0x9a077eacc040 2 - N/A False 2021-09-07 14:24:34.000000 N/A
* 108 4 Registry 0x9a077dfc8040 4 - N/A False 2021-09-07 14:24:29.000000 N/A
* 1868 4 MemCompression 0x9a0780c24080 42 - N/A False 2021-09-07 14:24:56.000000 N/A
468 456 csrss.exe 0x9a077f2db140 11 - 0 False 2021-09-07 14:24:53.000000 N/A
544 536 csrss.exe 0x9a077fe9e140 12 - 1 False 2021-09-07 14:24:53.000000 N/A
568 456 wininit.exe 0x9a077fead080 1 - 0 False 2021-09-07 14:24:53.000000 N/A
* 864 568 fontdrvhost.ex 0x9a077ff54140 5 - 0 False 2021-09-07 14:24:55.000000 N/A
* 708 568 lsass.exe 0x9a077ff1d080 13 - 0 False 2021-09-07 14:24:55.000000 N/A
* 668 568 services.exe 0x9a077fedd080 9 - 0 False 2021-09-07 14:24:55.000000 N/A
** 1540 668 svchost.exe 0x9a0780af7300 7 - 0 False 2021-09-07 14:24:56.000000 N/A
** 2564 668 spoolsv.exe 0x9a0780e8b0c0 7 - 0 False 2021-09-07 14:24:57.000000 N/A
** 2056 668 svchost.exe 0x9a0780cd92c0 7 - 0 False 2021-09-07 14:24:57.000000 N/A
** 3084 668 svchost.exe 0x9a078408b240 5 - 0 False 2021-09-07 14:24:57.000000 N/A
** 1044 668 svchost.exe 0x9a078090e300 32 - 0 False 2021-09-07 14:24:56.000000 N/A
** 1556 668 svchost.exe 0x9a0780c88080 5 - 0 False 2021-09-07 14:24:57.000000 N/A
** 1564 668 svchost.exe 0x9a0780b35280 3 - 0 False 2021-09-07 14:24:56.000000 N/A
** 5152 668 svchost.exe 0x9a0784b10300 8 - 1 False 2021-09-07 14:25:13.000000 N/A
** 2552 668 svchost.exe 0x9a0780e93300 11 - 0 False 2021-09-07 14:24:57.000000 N/A
** 3112 668 svchost.exe 0x9a078408d2c0 4 - 0 False 2021-09-07 14:24:57.000000 N/A
** 2096 668 svchost.exe 0x9a0780ce1300 5 - 0 False 2021-09-07 14:24:57.000000 N/A
** 2612 668 svchost.exe 0x9a0780e8f0c0 13 - 0 False 2021-09-07 14:24:57.000000 N/A
** 2104 668 svchost.exe 0x9a078405f080 7 - 0 False 2021-09-07 14:24:57.000000 N/A
** 1092 668 svchost.exe 0x9a0780c872c0 6 - 0 False 2021-09-07 14:24:57.000000 N/A
** 1612 668 svchost.exe 0x9a0780b85300 2 - 0 False 2021-09-07 14:24:56.000000 N/A
** 1620 668 MsMpEng.exe 0x9a0784061340 12 - 0 False 2021-09-07 14:24:57.000000 N/A
** 4180 668 svchost.exe 0x9a0784750080 7 - 0 False 2021-09-07 14:25:07.000000 N/A
** 10840 668 svchost.exe 0x9a0784698080 12 - 0 False 2021-09-07 14:50:38.000000 N/A
** 1116 668 svchost.exe 0x9a0780942280 3 - 0 False 2021-09-07 14:24:56.000000 N/A
** 2148 668 svchost.exe 0x9a0780dc12c0 8 - 0 False 2021-09-07 14:24:57.000000 N/A
** 1656 668 svchost.exe 0x9a0780b472c0 5 - 0 False 2021-09-07 14:24:56.000000 N/A
** 1664 668 svchost.exe 0x9a0780b49280 7 - 0 False 2021-09-07 14:24:56.000000 N/A
** 4224 668 svchost.exe 0x9a0784792240 9 - 0 False 2021-09-07 14:25:07.000000 N/A
** 1168 668 svchost.exe 0x9a0780952240 9 - 0 False 2021-09-07 14:24:56.000000 N/A
*** 4732 1168 taskhostw.exe 0x9a07848e72c0 0 - 1 False 2021-09-07 14:25:12.000000 2021-09-07 14:25:12.000000
*** 4564 1168 taskhostw.exe 0x9a078487a340 11 - 1 False 2021-09-07 14:25:12.000000 N/A
** 8336 668 svchost.exe 0x9a0785547080 4 - 0 False 2021-09-07 14:26:59.000000 N/A
** 9872 668 svchost.exe 0x9a078651c300 0 - 0 False 2021-09-07 14:29:57.000000 2021-09-07 14:30:05.000000
** 2200 668 svchost.exe 0x9a0780dea300 18 - 0 False 2021-09-07 14:24:57.000000 N/A
** 1692 668 svchost.exe 0x9a0780bb1240 3 - 0 False 2021-09-07 14:24:56.000000 N/A
** 2208 668 svchost.exe 0x9a0780de80c0 4 - 0 False 2021-09-07 14:24:57.000000 N/A
** 2216 668 svchost.exe 0x9a0780dec2c0 6 - 0 False 2021-09-07 14:24:57.000000 N/A
** 5300 668 SearchIndexer. 0x9a07848ea080 32 - 0 False 2021-09-07 14:25:14.000000 N/A
*** 5864 5300 SearchFilterHo 0x9a0784d4d080 4 - 0 False 2021-09-07 14:56:16.000000 N/A
*** 10500 5300 SearchProtocol 0x9a0784e560c0 6 - 0 False 2021-09-07 14:53:47.000000 N/A
** 1220 668 svchost.exe 0x9a0780965240 4 - 0 False 2021-09-07 14:24:56.000000 N/A
** 6340 668 svchost.exe 0x9a07851d42c0 3 - 0 False 2021-09-07 14:25:22.000000 N/A
** 9428 668 svchost.exe 0x9a078514b080 7 - 0 False 2021-09-07 14:32:03.000000 N/A
** 8412 668 SgrmBroker.exe 0x9a0785760080 7 - 0 False 2021-09-07 14:26:59.000000 N/A
** 1256 668 svchost.exe 0x9a07809c22c0 3 - 0 False 2021-09-07 14:24:56.000000 N/A
** 8696 668 svchost.exe 0x9a0785409080 6 - 1 False 2021-09-07 14:27:01.000000 N/A
** 1264 668 svchost.exe 0x9a07809c8300 4 - 0 False 2021-09-07 14:24:56.000000 N/A
** 2808 668 svchost.exe 0x9a0780eea2c0 3 - 0 False 2021-09-07 14:24:57.000000 N/A
** 1272 668 svchost.exe 0x9a07809ca300 8 - 0 False 2021-09-07 14:24:56.000000 N/A
** 5392 668 svchost.exe 0x9a07855e50c0 5 - 0 False 2021-09-07 14:25:39.000000 N/A
** 2328 668 svchost.exe 0x9a077de68080 3 - 0 False 2021-09-07 14:24:57.000000 N/A
** 10008 668 svchost.exe 0x9a0785ce2080 4 - 0 False 2021-09-07 14:55:12.000000 N/A
** 4916 668 svchost.exe 0x9a0784932280 4 - 0 False 2021-09-07 14:25:12.000000 N/A
*** 4944 4916 ctfmon.exe 0x9a07848e6280 12 - 1 False 2021-09-07 14:25:12.000000 N/A
** 5948 668 svchost.exe 0x9a078553c080 3 - 0 False 2021-09-07 14:55:13.000000 N/A
** 832 668 svchost.exe 0x9a077ff82240 28 - 0 False 2021-09-07 14:24:55.000000 N/A
*** 5780 832 SearchApp.exe 0x9a0784db8080 72 - 1 False 2021-09-07 14:25:18.000000 N/A
*** 4248 832 smartscreen.ex 0x9a07867790c0 16 - 1 False 2021-09-07 14:56:38.000000 N/A
*** 9500 832 RuntimeBroker. 0x9a0785c19080 0 - 1 False 2021-09-07 14:27:19.000000 2021-09-07 14:57:54.000000
*** 5664 832 RuntimeBroker. 0x9a0784dd8300 2 - 1 False 2021-09-07 14:25:18.000000 N/A
*** 1700 832 RuntimeBroker. 0x9a0785429340 4 - 1 False 2021-09-07 14:27:57.000000 N/A
*** 7480 832 TextInputHost. 0x9a078575b300 11 - 1 False 2021-09-07 14:26:17.000000 N/A
*** 6844 832 RuntimeBroker. 0x9a078528e080 2 - 1 False 2021-09-07 14:25:30.000000 N/A
*** 5564 832 StartMenuExper 0x9a0784bf9080 9 - 1 False 2021-09-07 14:25:16.000000 N/A
*** 4156 832 RuntimeBroker. 0x9a077eb17300 6 - 1 False 2021-09-07 14:57:01.000000 N/A
*** 6212 832 RuntimeBroker. 0x9a0785162300 4 - 1 False 2021-09-07 14:25:22.000000 N/A
*** 9544 832 ShellExperienc 0x9a07866e1080 15 - 1 False 2021-09-07 14:28:49.000000 N/A
*** 5200 832 YourPhone.exe 0x9a0784edc080 14 - 1 False 2021-09-07 14:25:20.000000 N/A
*** 8020 832 UserOOBEBroker 0x9a0785b4b080 4 - 1 False 2021-09-07 14:28:18.000000 N/A
*** 6752 832 RuntimeBroker. 0x9a078528d300 16 - 1 False 2021-09-07 14:25:26.000000 N/A
**** 10284 6752 powershell.exe 0x9a0786752300 14 - 1 False 2021-09-07 14:35:13.000000 N/A
***** 5860 10284 winpmem_mini_x 0x9a077f3e70c0 1 - 1 False 2021-09-07 14:57:44.000000 N/A
***** 10268 10284 conhost.exe 0x9a0786744340 6 - 1 False 2021-09-07 14:35:13.000000 N/A
*** 10208 832 WinStore.App.e 0x9a077f7550c0 19 - 1 False 2021-09-07 14:27:53.000000 N/A
*** 992 832 WWAHost.exe 0x9a0785443300 50 - 1 False 2021-09-07 14:57:05.000000 N/A
*** 3944 832 dllhost.exe 0x9a07855d7300 13 - 1 False 2021-09-07 14:26:17.000000 N/A
*** 8044 832 ApplicationFra 0x9a07854c1340 19 - 1 False 2021-09-07 14:26:52.000000 N/A
*** 9452 832 RuntimeBroker. 0x9a078677b300 4 - 1 False 2021-09-07 14:28:50.000000 N/A
*** 6000 832 RuntimeBroker. 0x9a0784bce080 16 - 1 False 2021-09-07 14:25:19.000000 N/A
*** 2928 832 SystemSettings 0x9a077f74d080 17 - 1 False 2021-09-07 14:28:16.000000 N/A
*** 5368 832 LockApp.exe 0x9a0784dd9080 13 - 1 False 2021-09-07 14:25:21.000000 N/A
*** 10748 832 Calculator.exe 0x9a0785cec340 22 - 1 False 2021-09-07 14:57:01.000000 N/A
** 2372 668 svchost.exe 0x9a0780e09080 7 - 0 False 2021-09-07 14:24:57.000000 N/A
** 2904 668 svchost.exe 0x9a0780ff4240 5 - 0 False 2021-09-07 14:24:57.000000 N/A
** 4444 668 svchost.exe 0x9a07847ed300 11 - 1 False 2021-09-07 14:25:11.000000 N/A
** 2912 668 svchost.exe 0x9a0780ff6300 4 - 0 False 2021-09-07 14:24:57.000000 N/A
** 2920 668 svchost.exe 0x9a0780ff3080 6 - 0 False 2021-09-07 14:24:57.000000 N/A
** 1392 668 svchost.exe 0x9a0780a2e240 8 - 0 False 2021-09-07 14:24:56.000000 N/A
*** 4412 1392 sihost.exe 0x9a07844ab080 14 - 1 False 2021-09-07 14:25:11.000000 N/A
** 7024 668 SecurityHealth 0x9a0784bb3080 15 - 0 False 2021-09-07 14:25:32.000000 N/A
** 3444 668 svchost.exe 0x9a0784236240 3 - 0 False 2021-09-07 14:24:57.000000 N/A
** 2936 668 svchost.exe 0x9a0780ff7080 10 - 0 False 2021-09-07 14:24:57.000000 N/A
** 4472 668 svchost.exe 0x9a07847ee080 8 - 1 False 2021-09-07 14:25:11.000000 N/A
** 1404 668 svchost.exe 0x9a0780a302c0 5 - 0 False 2021-09-07 14:24:56.000000 N/A
** 2944 668 svchost.exe 0x9a0780ff8080 16 - 0 False 2021-09-07 14:24:57.000000 N/A
** 1412 668 svchost.exe 0x9a0780a32300 5 - 0 False 2021-09-07 14:24:56.000000 N/A
** 1924 668 svchost.exe 0x9a0780c2d300 8 - 0 False 2021-09-07 14:24:57.000000 N/A
** 904 668 svchost.exe 0x9a07852240c0 10 - 0 False 2021-09-07 14:25:37.000000 N/A
** 8584 668 svchost.exe 0x9a0784d8f080 9 - 0 False 2021-09-07 14:27:00.000000 N/A
** 1936 668 svchost.exe 0x9a0780c7b240 2 - 0 False 2021-09-07 14:24:57.000000 N/A
** 2964 668 svchost.exe 0x9a0784036240 11 - 0 False 2021-09-07 14:24:57.000000 N/A
** 10648 668 svchost.exe 0x9a07864c0080 4 - 0 False 2021-09-07 14:32:36.000000 N/A
** 5020 668 svchost.exe 0x9a078497a2c0 8 - 0 False 2021-09-07 14:25:12.000000 N/A
** 3996 668 svchost.exe 0x9a0784a4d080 6 - 0 False 2021-09-07 14:25:12.000000 N/A
** 7584 668 svchost.exe 0x9a07853e12c0 12 - 0 False 2021-09-07 14:26:57.000000 N/A
** 4016 668 svchost.exe 0x9a0784471080 8 - 0 False 2021-09-07 14:25:01.000000 N/A
** 952 668 svchost.exe 0x9a078083a2c0 16 - 0 False 2021-09-07 14:24:56.000000 N/A
** 8656 668 svchost.exe 0x9a0785249080 11 - 0 False 2021-09-07 14:27:00.000000 N/A
** 3544 668 svchost.exe 0x9a07846cb240 0 - 0 False 2021-09-07 14:25:06.000000 2021-09-07 14:35:42.000000
** 7132 668 svchost.exe 0x9a07855f0240 4 - 0 False 2021-09-07 14:25:33.000000 N/A
** 9692 668 svchost.exe 0x9a07854ac080 5 - 0 False 2021-09-07 14:28:03.000000 N/A
** 4064 668 svchost.exe 0x9a078458e080 5 - 0 False 2021-09-07 14:54:56.000000 N/A
** 996 668 svchost.exe 0x9a078085c240 7 - 0 False 2021-09-07 14:24:56.000000 N/A
** 3048 668 svchost.exe 0x9a0780ff2280 3 - 0 False 2021-09-07 14:24:57.000000 N/A
** 3060 668 svchost.exe 0x9a078405e240 6 - 0 False 2021-09-07 14:24:57.000000 N/A
** 2040 668 svchost.exe 0x9a0780c85280 3 - 0 False 2021-09-07 14:24:57.000000 N/A
644 536 winlogon.exe 0x9a077fe9c140 3 - 1 False 2021-09-07 14:24:54.000000 N/A
* 856 644 fontdrvhost.ex 0x9a077ff89140 5 - 1 False 2021-09-07 14:24:55.000000 N/A
* 428 644 dwm.exe 0x9a078087f080 21 - 1 False 2021-09-07 14:24:56.000000 N/A
* 384 644 LogonUI.exe 0x9a078087e080 0 - 1 False 2021-09-07 14:24:56.000000 2021-09-07 14:25:29.000000
* 4140 644 userinit.exe 0x9a07849b5080 0 - 1 False 2021-09-07 14:25:12.000000 2021-09-07 14:25:36.000000
** 4012 4140 explorer.exe 0x9a07849b7340 71 - 1 False 2021-09-07 14:25:12.000000 N/A
*** 10432 4012 notepad.exe 0x9a0785775300 6 - 1 False 2021-09-07 14:56:56.000000 N/A
*** 1796 4012 powershell.exe 0x9a0785404300 15 - 1 False 2021-09-07 14:29:07.000000 N/A
**** 8592 1796 conhost.exe 0x9a0785c11300 5 - 1 False 2021-09-07 14:29:08.000000 N/A
*** 1832 4012 powershell_ise 0x9a07862e60c0 23 - 1 False 2021-09-07 14:30:48.000000 N/A
**** 10992 1832 conhost.exe 0x9a0784f26080 5 - 1 False 2021-09-07 14:33:01.000000 N/A
*** 6988 4012 SecurityHealth 0x9a0784d15080 6 - 1 False 2021-09-07 14:25:32.000000 N/A
*** 7120 4012 msedge.exe 0x9a0785297080 0 - 1 False 2021-09-07 14:25:33.000000 2021-09-07 14:56:33.000000
**** 3652 7120 msedge.exe 0x9a0784da7080 36 - 1 False 2021-09-07 14:56:33.000000 N/A
***** 7008 3652 msedge.exe 0x9a07851dc080 18 - 1 False 2021-09-07 14:56:34.000000 N/A
***** 32 3652 msedge.exe 0x9a07854e7080 17 - 1 False 2021-09-07 14:56:41.000000 N/A
***** 3556 3652 msedge.exe 0x9a0785548340 0 - 1 False 2021-09-07 14:56:39.000000 2021-09-07 14:56:46.000000
***** 420 3652 msedge.exe 0x9a07864f6300 13 - 1 False 2021-09-07 14:56:52.000000 N/A
***** 9896 3652 msedge.exe 0x9a0785b1e340 0 - 1 False 2021-09-07 14:56:39.000000 2021-09-07 14:57:44.000000
***** 5832 3652 msedge.exe 0x9a078428b080 7 - 1 False 2021-09-07 14:57:39.000000 N/A
***** 10808 3652 msedge.exe 0x9a0785ad6340 16 - 1 False 2021-09-07 14:56:49.000000 N/A
***** 6540 3652 msedge.exe 0x9a0786787340 10 - 1 False 2021-09-07 14:56:51.000000 N/A
***** 1996 3652 msedge.exe 0x9a078582b080 15 - 1 False 2021-09-07 14:57:03.000000 N/A
***** 2744 3652 msedge.exe 0x9a0785228080 0 - 1 False 2021-09-07 14:57:30.000000 2021-09-07 14:57:40.000000
***** 6032 3652 msedge.exe 0x9a0785218080 8 - 1 False 2021-09-07 14:56:33.000000 N/A
***** 5240 3652 msedge.exe 0x9a0785bd0080 15 - 1 False 2021-09-07 14:57:35.000000 N/A
***** 2488 3652 msedge.exe 0x9a0785cb4340 13 - 1 False 2021-09-07 14:56:46.000000 N/A
***** 4924 3652 msedge.exe 0x9a0784a66080 7 - 1 False 2021-09-07 14:56:34.000000 N/A
***** 1628 3652 msedge.exe 0x9a07854da340 17 - 1 False 2021-09-07 14:56:34.000000 N/A
*** 7096 4012 OneDrive.exe 0x9a0785236080 25 - 1 False 2021-09-07 14:25:32.000000 N/A
7308 5292 Spotify.exe 0x9a07851dd080 35 - 1 True 2021-09-07 14:25:42.000000 N/A
* 7620 7308 Spotify.exe 0x9a07855d0300 6 - 1 True 2021-09-07 14:25:49.000000 N/A
* 7908 7308 Spotify.exe 0x9a07856ef2c0 8 - 1 True 2021-09-07 14:25:55.000000 N/A
* 7720 7308 Spotify.exe 0x9a0785784080 7 - 1 True 2021-09-07 14:25:50.000000 N/A
* 8136 7308 Spotify.exe 0x9a0785bce0c0 12 - 1 True 2021-09-07 14:25:58.000000 N/A
* 7896 7308 Spotify.exe 0x9a07847db080 6 - 1 True 2021-09-07 14:25:55.000000 N/A
8180 2252 userinit.exe 0x9a07843ab080 3 - 1 True 2021-09-07 14:55:55.000000 N/A
flag{userinit.exe_8180}
Last updated
