Writeup: Advent of Cyber 4 Day 11 - AtomicMaya/knowledge-base GitHub Wiki
Advent of Cyber 4 - Day 11
Link: Advent Of Cyber 4 on TryHackMe
Question 1
What is the Windows version number that the memory image captured?
We run python3 vol.py -f workstation.vmem windows.info:
Answer: 10
Question 2
What is the name of the binary/gift that secret Santa left?
We run python3 vol.py -f workstation.vmem windows.pslist:
Answer: mysterygift.exe
Question 3
What is the Process ID (PID) of this binary?
We check the associated column.
Answer: 2040
Question 4
Dump the contents of this binary. How many files are dumped?
We run python3 vol.py -f workstation.vmem windows.dumpfiles --pid 2040 and then count the number of results.
Answer: 16