Our intrusion detection system has alerted us to suspicious behavior on a workstation, pointing to a likely malware intrusion. A memory dump of this system has been taken for analysis. Your task is to analyze this dump, trace the malware’s actions, and report key findings.
https://cyberdefenders.org/blueteam-ctf-challenges/ramnit/
pstree (Volatility windows.pstree) showed ChromeSetup.exe as an obvious candidate in the process tree.
netstat tied that same PID to a network connection to 58.64.204.181, showing active outbound communication from the process.
windows.cmdline | grep -i chromesetup shows it running from C:\\Users\\alex\\Downloads\\ChromeSetup.exe
then dumped the process (windows.dumpfiles --pid 4628) and uploaded the binary hash to VirusTotal, which returned a 100% malicious