You have given a memory image for a compromised machine. Analyze the image and figure out attack details.
What profile should you use for this memory sample?
What is the KDBG virtual address of the memory sample?
There is a malicious process running, but it's hidden. What's its name?
What is the physical offset of the malicious process?
What is the full path (including executable name) of the hidden executable?
Which malware is this?
The malicious process had two PEs injected into its memory. What's the size in bytes of the Vad that contains the largest injected PE? Answer in hex, like: 0xABC
This process was unlinked from the ActiveProcessLinks list. Follow its forward link. Which process does it lead to? Answer with its name and extension
What is the pooltag of the malicious process in ascii? (HINT: use volshell)
What is the physical address of the hidden executable's pooltag? (HINT: use volshell)