Skip to content

Writeup: Advent of Cyber 4 Day 11

Jump to bottom
AtomicMaya edited this page Dec 13, 2022 · 1 revision

Advent of Cyber 4 - Day 11

Link: Advent Of Cyber 4 on TryHackMe

Question 1

What is the Windows version number that the memory image captured?

We run python3 vol.py -f workstation.vmem windows.info:

Answer: 10

Question 2

What is the name of the binary/gift that secret Santa left?

We run python3 vol.py -f workstation.vmem windows.pslist:

Answer: mysterygift.exe

Question 3

What is the Process ID (PID) of this binary?

We check the associated column.

Answer: 2040

Question 4

Dump the contents of this binary. How many files are dumped?

We run python3 vol.py -f workstation.vmem windows.dumpfiles --pid 2040 and then count the number of results.

Answer: 16

Clone this wiki locally