Lost in RAMslation Tryhackme CTF

Explore TryHackMe’s Lost in RAMslation — a hands-on memory forensics challenge to analyze RAM, detect malware, and practice DFIR skills using Volatility and real-world investigation tools.

CYBERSECURITY LABSDIGITAL FORENSICSDFIR TRAININGINCIDENT RESPONSETRYHACKME WRITEUPSCTFPENETRATION TESTINGCLOUD SECURITYTRYHACKME WALKTHROUGHTRYHACKME ANSWERSCYBERSECURITYETHICAL HACKINGACTIVE DIRECTORYTRYHACKMEVULNERABILITIESAWS

Jawstar

11/2/20251 min read

Task 2 : The Challenge

Answer the questions below

What is the absolute path to the initial malicious file executed on this host?
C:\Windows\Tasks\MicrosoftUpdate.dll

Which process ID (PID) was assigned to the process used to execute the initial payload?
2928

What was the full command line used by the attacker to launch initial execution on this host?
rundll32.exe C:\windows\tasks\MicrosoftUpdate.dll, RunMe

The attack launched various processes. What is the name of the final process in the chain?
notepad.exe

What are the first five bytes (in hex, e.g., 4d5a9000) of the Meterpreter shellcode injected into it?fc4889ce48

Which is the IP address that the hosts perform a lateral movement using port 3389?
172.16.2.9

SUBSCRIBE FOR MORE

Connect

Secure your future with expert cybersecurity solutions

Support

Quick Links

© 2025. All rights reserved.

contact@jawstarsec.in

Services
Blog
Contact Us
Homepage