CHIqueen
We've found out that the malware is a ransomware. Find the attacker's bitcoin address. 먼저 프로세스를 덤프 떠줍니다. $ vol.py -f OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3720 -D ./ Volatility Foundation Volatility Framework 2.6 Process(V) ImageBase Name Result ------------------ ------------------ -------------------- ------ 0xfffffa801a4c5b30 0x0000000000ec0000 vmware-tray.ex OK: executable.3720.exe ..
The reason that we took rick's PC memory dump is because there was a malware infection. Please find the malware process name (including the extension) BEAWARE! There are only 3 attempts to get the right flag! 3번의 기회를 주고 악성 프로세스의 이름을 찾으라 합니다. 먼저 프로세스 목록을 봅시다. Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xfffffa801b27e060:explore..
Silly rick always forgets his email's password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick's email password? 이메일 비밀번호를 복사해서 붙여 넣는다고 합니다. 그러면 클립보드에 저장되어 있을테니 클립보드를 떼봅시다. $ vol.py -f OtterCTF.vmem --profile=Win7SP1x64 clipboard Volatility Foundation Volatility Framework 2.6 Session WindowStation ..