Scenario

Exorcise Black Energy 2 from Shadowbrook’s digital infrastructure by reverse-engineering the malware’s code. You must dismantle its hooks, identify its payload, and stop its command-and-control mechanisms to restore peace to the town’s network before the Haunted Festival reaches its darkest hour.

https://blueteamlabs.online/home/investigation/nonyx-63b4769449

Q1) Which process most likely contains injected code, providing its name, PID, and memory address? (Format: Name, PID, Address)

svchost.exe, 856, 0xc30000

From the scenario and memory dump name we know we are analyzing BlackEnergy malware

for this question i used malfind to find that svchost.exe was injected

Q2) What dump file in the malfind output directory corresponds to the memory address identified for code injection? (Format: Output File Name)

process.0x80ff88d8.0xc30000.dmp

Adding --dump-dir to dump the malfind output (dump his memory address from the memory dump) and the name is the answer of the question

Q3) Which full filename path is referenced in the strings output of the memory section identified by malfind as containing a portable executable (PE32/MZ header)? (Format: Filename Path)