Windows Pains 2

Details

One of De Monne's employees had their personal Windows computer hacked by a member of DEADFACE. The attacker managed to exploit a portion of a database backup that contains sensitive employee and customer PII.
Using the memory dump file from Window Pains, submit the victim's computer name.

Submit the flag as flag{COMPUTER-NAME}.
Using Volatility3 we run sudo python3 vol.py -f physmemraw windows.envars | grep "COMPUTERNAME"
❯ sudo python3 /opt/volatility3/vol.py -f physmemraw windows.envars | grep "COMPUTERNAME"
568gresswininit.exe     0x2760e6015c0canCOMPUTERNAME    DESKTOP-IT8QNRI
644     winlogon.exe    0x2a6290a15c0   COMPUTERNAME    DESKTOP-IT8QNRI
668     services.exe    0x18faf803120   COMPUTERNAME    DESKTOP-IT8QNRI
708     lsass.exe       0x23442203120   COMPUTERNAME    DESKTOP-IT8QNRI
832     svchost.exe     0x1e39d603300   COMPUTERNAME    DESKTOP-IT8QNRI
952     svchost.exe     0x1c6c2e03390   COMPUTERNAME    DESKTOP-IT8QNRI
996     svchost.exe     0x2da88203300   COMPUTERNAME    DESKTOP-IT8QNRI
428     dwm.exe 0x19f91801910   COMPUTERNAME    DESKTOP-IT8QNRI
1044    svchost.exe     0x26318003390   COMPUTERNAME    DESKTOP-IT8QNRI
1116    svchost.exe     0x1e2ee403300   COMPUTERNAME    DESKTOP-IT8QNRI
1168    svchost.exe     0x20d91003300   COMPUTERNAME    DESKTOP-IT8QNRI
1220    svchost.exe     0x15525003310   COMPUTERNAME    DESKTOP-IT8QNRI
1256    svchost.exe     0x2459fa03380   COMPUTERNAME    DESKTOP-IT8QNRI
1264    svchost.exe     0x19f93003380   COMPUTERNAME    DESKTOP-IT8QNRI
1272    svchost.exe     0x1bdca403380   COMPUTERNAME    DESKTOP-IT8QNRI
1392    svchost.exe     0x1d571403310   COMPUTERNAME    DESKTOP-IT8QNRI
1404    svchost.exe     0x1f4e1203380   COMPUTERNAME    DESKTOP-IT8QNRI
1412    svchost.exe     0x1e7b6803380   COMPUTERNAME    DESKTOP-IT8QNRI
1540    svchost.exe     0x1a786803380   COMPUTERNAME    DESKTOP-IT8QNRI
1564    svchost.exe     0x159ed203300   COMPUTERNAME    DESKTOP-IT8QNRI
1612    svchost.exe     0x1870f203380   COMPUTERNAME    DESKTOP-IT8QNRI
1656    svchost.exe     0x23f7f203380   COMPUTERNAME    DESKTOP-IT8QNRI
1664    svchost.exe     0x26d73e03310   COMPUTERNAME    DESKTOP-IT8QNRI
1692    svchost.exe     0x1a8ef003310   COMPUTERNAME    DESKTOP-IT8QNRI
1924    svchost.exe     0x1cd20c03390   COMPUTERNAME    DESKTOP-IT8QNRI
1936    svchost.exe     0x1a5aa203300   COMPUTERNAME    DESKTOP-IT8QNRI
2040    svchost.exe     0x28734c03300   COMPUTERNAME    DESKTOP-IT8QNRI
1092    svchost.exe     0x1cbca003380   COMPUTERNAME    DESKTOP-IT8QNRI
1556    svchost.exe     0x1755a203300   COMPUTERNAME    DESKTOP-IT8QNRI
2056    svchost.exe     0x1607a203380   COMPUTERNAME    DESKTOP-IT8QNRI
2096    svchost.exe     0x1ddf3203390   COMPUTERNAME    DESKTOP-IT8QNRI
2148    svchost.exe     0x202a7c03380   COMPUTERNAME    DESKTOP-IT8QNRI
2200    svchost.exe     0x2d055803390   COMPUTERNAME    DESKTOP-IT8QNRI
2208    svchost.exe     0x22240603380   COMPUTERNAME    DESKTOP-IT8QNRI
2216    svchost.exe     0x1e894203380   COMPUTERNAME    DESKTOP-IT8QNRI
2328    svchost.exe     0x20f1a403300   COMPUTERNAME    DESKTOP-IT8QNRI
2372    svchost.exe     0x28f6a803300   COMPUTERNAME    DESKTOP-IT8QNRI
2552    svchost.exe     0x1d550403380   COMPUTERNAME    DESKTOP-IT8QNRI
2612    svchost.exe     0x14190003380   COMPUTERNAME    DESKTOP-IT8QNRI
2808    svchost.exe     0x13773603380   COMPUTERNAME    DESKTOP-IT8QNRI
2904    svchost.exe     0x24fd7603300   COMPUTERNAME    DESKTOP-IT8QNRI
2912    svchost.exe     0x2bf76c03390   COMPUTERNAME    DESKTOP-IT8QNRI
2920    svchost.exe     0x1fecc003390   COMPUTERNAME    DESKTOP-IT8QNRI
2936    svchost.exe     0x222fd603300   COMPUTERNAME    DESKTOP-IT8QNRI
2944    svchost.exe     0x1c6ff003380   COMPUTERNAME    DESKTOP-IT8QNRI
2964    svchost.exe     0x2c83dc03300   COMPUTERNAME    DESKTOP-IT8QNRI
3048    svchost.exe     0x2274ea03300   COMPUTERNAME    DESKTOP-IT8QNRI
3060    svchost.exe     0x19ab5403300   COMPUTERNAME    DESKTOP-IT8QNRI
2104    svchost.exe     0x28a0d603300   COMPUTERNAME    DESKTOP-IT8QNRI
1620    MsMpEng.exe     0x1d550f71af0   COMPUTERNAME    DESKTOP-IT8QNRI
3084    svchost.exe     0x26b1d003300   COMPUTERNAME    DESKTOP-IT8QNRI
3112    svchost.exe     0x1e0fe203380   COMPUTERNAME    DESKTOP-IT8QNRI
3444    svchost.exe     0x1ac18003300   COMPUTERNAME    DESKTOP-IT8QNRI
4016    svchost.exe     0x212bba03380   COMPUTERNAME    DESKTOP-IT8QNRI
4180    svchost.exe     0x14aa7203310   COMPUTERNAME    DESKTOP-IT8QNRI
4224    svchost.exe     0x2bc54a03300   COMPUTERNAME    DESKTOP-IT8QNRI
4412    sihost.exe      0x1c067791ba0   COMPUTERNAME    DESKTOP-IT8QNRI
4444    svchost.exe     0x29ca26033c0   COMPUTERNAME    DESKTOP-IT8QNRI
4472    svchost.exe     0x2102ac033c0   COMPUTERNAME    DESKTOP-IT8QNRI
4916    svchost.exe     0x225e4203300   COMPUTERNAME    DESKTOP-IT8QNRI
4944    ctfmon.exe      0x15a6f571ba0   COMPUTERNAME    DESKTOP-IT8QNRI
5020    svchost.exe     0x2ad0e603380   COMPUTERNAME    DESKTOP-IT8QNRI
4012    explorer.exe    0x5f1bd0        COMPUTERNAME    DESKTOP-IT8QNRI
3996    svchost.exe     0x20aec403380   COMPUTERNAME    DESKTOP-IT8QNRI
5152    svchost.exe     0x286c08033c0   COMPUTERNAME    DESKTOP-IT8QNRI
5300    SearchIndexer.  0x1b74ee01af0   COMPUTERNAME    DESKTOP-IT8QNRI
5564    StartMenuExper  0x13e33c03550   COMPUTERNAME    DESKTOP-IT8QNRI
5664    RuntimeBroker.  0x227ed8033c0   COMPUTERNAME    DESKTOP-IT8QNRI
5780    SearchApp.exe   0x26bb74034f0   COMPUTERNAME    DESKTOP-IT8QNRI
6000    RuntimeBroker.  0x1cbeb4033c0   COMPUTERNAME    DESKTOP-IT8QNRI
5200    YourPhone.exe   0x23f0e4034d0   COMPUTERNAME    DESKTOP-IT8QNRI
6212    RuntimeBroker.  0x1b1968033c0   COMPUTERNAME    DESKTOP-IT8QNRI
6340    svchost.exe     0x20510e03380   COMPUTERNAME    DESKTOP-IT8QNRI
6752    RuntimeBroker.  0x240440033c0   COMPUTERNAME    DESKTOP-IT8QNRI
6844    RuntimeBroker.  0x276c08033c0   COMPUTERNAME    DESKTOP-IT8QNRI
6988    SecurityHealth  0x21a797e1c90   COMPUTERNAME    DESKTOP-IT8QNRI
7024    SecurityHealth  0x22c36261af0   COMPUTERNAME    DESKTOP-IT8QNRI
7132    svchost.exe     0x214cd003310   COMPUTERNAME    DESKTOP-IT8QNRI
904     svchost.exe     0x293cc203300   COMPUTERNAME    DESKTOP-IT8QNRI
5392    svchost.exe     0x1b733003300   COMPUTERNAME    DESKTOP-IT8QNRI
7620    Spotify.exe     0x1c03410       COMPUTERNAME    DESKTOP-IT8QNRI
7480    TextInputHost.  0x24f22e03500   COMPUTERNAME    DESKTOP-IT8QNRI
3944    dllhost.exe     0x14d8a051ba0   COMPUTERNAME    DESKTOP-IT8QNRI
8044    ApplicationFra  0x18d9aac1ba0   COMPUTERNAME    DESKTOP-IT8QNRI
7584    svchost.exe     0x1af2da03390   COMPUTERNAME    DESKTOP-IT8QNRI
8336    svchost.exe     0x27d7d603300   COMPUTERNAME    DESKTOP-IT8QNRI
8584    svchost.exe     0x1f14e203300   COMPUTERNAME    DESKTOP-IT8QNRI
8656    svchost.exe     0x20bc9e03380   COMPUTERNAME    DESKTOP-IT8QNRI
8696    svchost.exe     0x277312033c0   COMPUTERNAME    DESKTOP-IT8QNRI
1700    RuntimeBroker.  0x1d6ec4033c0   COMPUTERNAME    DESKTOP-IT8QNRI
9692    svchost.exe     0x1e44aa03300   COMPUTERNAME    DESKTOP-IT8QNRI
8020    UserOOBEBroker  0x26cec6c1ba0   COMPUTERNAME    DESKTOP-IT8QNRI
9544    ShellExperienc  0x207b1403540   COMPUTERNAME    DESKTOP-IT8QNRI
9452    RuntimeBroker.  0x1b6174033c0   COMPUTERNAME    DESKTOP-IT8QNRI
1796    powershell.exe  0x2b90ca41c90   COMPUTERNAME    DESKTOP-IT8QNRI
8592    conhost.exe     0x23b42571c90   COMPUTERNAME    DESKTOP-IT8QNRI
1832    powershell_ise  0x26eddb71c90   COMPUTERNAME    DESKTOP-IT8QNRI
9428    svchost.exe     0x1bc78803380   COMPUTERNAME    DESKTOP-IT8QNRI
10648   svchost.exe     0x1b7fa203300   COMPUTERNAME    DESKTOP-IT8QNRI
10992   conhost.exe     0x240d4f01d00   COMPUTERNAME    DESKTOP-IT8QNRI
10284   powershell.exe  0x2192f471ba0   COMPUTERNAME    DESKTOP-IT8QNRI
10268   conhost.exe     0x138ee371ba0   COMPUTERNAME    DESKTOP-IT8QNRI
10840   svchost.exe     0x1cecbc03300   COMPUTERNAME    DESKTOP-IT8QNRI
10500   SearchProtocol  0x254d0f21ba0   COMPUTERNAME    DESKTOP-IT8QNRI
4064    svchost.exe     0x26845603300   COMPUTERNAME    DESKTOP-IT8QNRI
10008   svchost.exe     0x1fbda203300   COMPUTERNAME    DESKTOP-IT8QNRI
5948    svchost.exe     0x2ea60803300   COMPUTERNAME    DESKTOP-IT8QNRI
8180    userinit.exe    0x1e1cc0        COMPUTERNAME    DESKTOP-IT8QNRI
5864    SearchFilterHo  0x15cacf01ba0   COMPUTERNAME    DESKTOP-IT8QNRI
3652    msedge.exe      0x1ef3dc03840   COMPUTERNAME    DESKTOP-IT8QNRI
6032    msedge.exe      0x197e0803840   COMPUTERNAME    DESKTOP-IT8QNRI
7008    msedge.exe      0x218c3203840   COMPUTERNAME    DESKTOP-IT8QNRI
1628    msedge.exe      0x15061c03840   COMPUTERNAME    DESKTOP-IT8QNRI
4924    msedge.exe      0x28138a03840   COMPUTERNAME    DESKTOP-IT8QNRI
4248    smartscreen.ex  0x20e4c331ba0   COMPUTERNAME    DESKTOP-IT8QNRI
32      msedge.exe      0x228b5c03840   COMPUTERNAME    DESKTOP-IT8QNRI
2488    msedge.exe      0x184f4e03840   COMPUTERNAME    DESKTOP-IT8QNRI
10808   msedge.exe      0x1e564803840   COMPUTERNAME    DESKTOP-IT8QNRI
6540    msedge.exe      0x2436ca03840   COMPUTERNAME    DESKTOP-IT8QNRI
420     msedge.exe      0x1c6e9803840   COMPUTERNAME    DESKTOP-IT8QNRI
10432   notepad.exe     0x168a68a1c90   COMPUTERNAME    DESKTOP-IT8QNRI
10748   Calculator.exe  0x267fcc03500   COMPUTERNAME    DESKTOP-IT8QNRI
4156    RuntimeBroker.  0x12ffd6033c0   COMPUTERNAME    DESKTOP-IT8QNRI
1996    msedge.exe      0x1f70ce03840   COMPUTERNAME    DESKTOP-IT8QNRI
992     WWAHost.exe     0x1bb4e003500   COMPUTERNAME    DESKTOP-IT8QNRI
5240    msedge.exe      0x24047a03840   COMPUTERNAME    DESKTOP-IT8QNRI
5832    msedge.exe      0x20d4d203840   COMPUTERNAME    DESKTOP-IT8QNRI
5860    winpmem_mini_x  0x1ef7b0e1c10   COMPUTERNAME    DESKTOP-IT8QNRI
Here we can clearly see the Computer Name: DESKTOP-IT8QNRI
Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Windows Pains 2 (50 Points).md

Windows Pains 2 (50 Points).md

Windows Pains 2

Details

flag{DESKTOP-IT8QNRI}

Files

Windows Pains 2 (50 Points).md

Latest commit

History

Windows Pains 2 (50 Points).md

File metadata and controls

Windows Pains 2

Details

flag{DESKTOP-IT8QNRI}
