OS, Password, IP Addr, Note, Execution, Path of the Executable, Malicious - Forensics

Task

My boss, Muhammad, sent me this dump file of a memory. He told me that this OS has a malware virus that runs automatically. I need to find some more information about this OS, and the hacker also created some files in this OS. He gave me a task to solve this within 24 hours. I am afraid. Will you please help me? My boss sent some questions; please solve them on my behalf. There are total 7 challenges in this series. Best of luck.

Solution

The Forensics category consisted of 7 tasks: OS, Password, IP Addr, Note, Execution, Path of the Executable, and Malicious. The content of individual tasks is included in points 1-7. All tasks in this category were solved based on the KnightSquad.DMP file, which was attached to the first task:

szczygielka@hacks$ file KnightSquad.DMP 
KnightSquad.DMP: MS Windows 64bit crash dump, full dump, 771726 pages

To solve the tasks, we will mainly use WinDbg, Volatility 2, Volatility 3. Both versions of Volatility differ in some commands, so it is worth to pay attention to the information returned by both versions of this software and their capabilities because some commands in Volatility 2 seem to have no equivalents in Volatility 3.

Additionally, in Volatility 2, it is necessary to select an operating system profile, which we will do after the OS task, once we have some information about the system.

Useful cheatsheet for Volatility 2 and Volatility 3: https://blog.onfvp.com/post/volatility-cheatsheet/

1. OS - What is the OS version?

To find the operating system version we can use the following command in WinDbg's integrated command line:

!analyze -v!

In the output of the command, we get the OS version, which is 7.1.7601.24214.

Flag:

KCTF{7.1.7601.24214}

Selecting an operating system profile in Volatility 2

To use Volatility 2 for solving the next tasks, we must determine the profile based on the operating system version. We know that the build number is 7.1.7601.24214 and that it is a 64-bit machine running Windows 7, and that it uses Service Pack 1.

Information on how to correctly determine the Windows machine profile in Volatility 2 can be found here.

We can use the following command to check the list of available profiles for Windows 7 in Volatility 2:

szczygielka@hacks$ python2 vol.py --info | grep Win7   
Volatility Foundation Volatility Framework 2.6.1
Win7SP0x64            - A Profile for Windows 7 SP0 x64
Win7SP0x86            - A Profile for Windows 7 SP0 x86
Win7SP1x64            - A Profile for Windows 7 SP1 x64
Win7SP1x64_23418      - A Profile for Windows 7 SP1 x64 (6.1.7601.23418 / 2016-04-09)
Win7SP1x64_24000      - A Profile for Windows 7 SP1 x64 (6.1.7601.24000 / 2018-01-09)
Win7SP1x86            - A Profile for Windows 7 SP1 x86
Win7SP1x86_23418      - A Profile for Windows 7 SP1 x86 (6.1.7601.23418 / 2016-04-09)
Win7SP1x86_24000      - A Profile for Windows 7 SP1 x86 (6.1.7601.24000 / 2018-01-09)

Based on the information received from the OS task, we can select the profile Win7SP1x64.

2. Password - What is the login password of the OS?

To get the password we have to get NTLM hashes. We can use hashdump functionality to get the hashes.

Volatility 2:

szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:10eca58175d4228ece151e287086e824:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
siam:1001:aad3b435b51404eeaad3b435b51404ee:7ab3201ceecd554f772573bb064a0f38:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:99d22b68c0d197f683f3d994c7f31254:::

Volatility 3:

szczygielka@hacks$ python3 vol.py -f KnightSquad.DMP windows.hashdump
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished                                
User    rid     lmhash  nthash

Administrator   500     aad3b435b51404eeaad3b435b51404ee        10eca58175d4228ece151e287086e824
Guest   501     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
siam    1001    aad3b435b51404eeaad3b435b51404ee        7ab3201ceecd554f772573bb064a0f38
HomeGroupUser$  1002    aad3b435b51404eeaad3b435b51404ee        99d22b68c0d197f683f3d994c7f31254

Let's save found NTLM hashes to the hashes.txt file and use the Hashcatto crack them with rockyou.txt wordlist:

szczygielka@hacks$ hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

One of the hashes was cracked. Hash which was cracked and recovered password:

7ab3201ceecd554f772573bb064a0f38:squad

Flag:

KCTF{squad}

3. IP Addr - What is the IP address of this system?

To get the IP address we can use netscan functionality.

Volatility 2:

szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 netscan
Volatility Foundation Volatility Framework 2.6.1
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0xb90dce00         UDPv4    0.0.0.0:3702                   *:*                                   1392     svchost.exe    2023-12-18 15:57:03 UTC+0000
0xb9232d90         UDPv4    0.0.0.0:0                      *:*                                   1432     mfemms.exe     2023-12-18 15:56:56 UTC+0000
0xb9232d90         UDPv6    :::0                           *:*                                   1432     mfemms.exe     2023-12-18 15:56:56 UTC+0000
0xb9236ac0         UDPv4    0.0.0.0:0                      *:*                                   1432     mfemms.exe     2023-12-18 15:56:56 UTC+0000
0xb92cc8a0         UDPv4    10.0.2.15:138                  *:*                                   4        System         2023-12-18 15:56:57 UTC+0000
0xb92ce840         UDPv4    10.0.2.15:137                  *:*                                   4        System         2023-12-18 15:56:57 UTC+0000
0xb92ec010         UDPv4    0.0.0.0:0                      *:*                                   1092     svchost.exe    2023-12-18 15:56:57 UTC+0000
0xb92ec010         UDPv6    :::0                           *:*                                   1092     svchost.exe    2023-12-18 15:56:57 UTC+0000
0xb9480480         UDPv4    0.0.0.0:51204                  *:*                                   1392     svchost.exe    2023-12-18 15:56:53 UTC+0000
0xb9497bb0         UDPv4    0.0.0.0:51205                  *:*                                   1392     svchost.exe    2023-12-18 15:56:53 UTC+0000
0xb9497bb0         UDPv6    :::51205                       *:*                                   1392     svchost.exe    2023-12-18 15:56:53 UTC+0000
0xb95d5010         UDPv4    0.0.0.0:3702                   *:*                                   1392     svchost.exe    2023-12-18 15:57:03 UTC+0000
0xb961d780         UDPv4    0.0.0.0:5004                   *:*                                   3896     wmpnetwk.exe   2023-12-18 15:58:49 UTC+0000
0xb96287b0         UDPv4    0.0.0.0:5005                   *:*                                   3896     wmpnetwk.exe   2023-12-18 15:58:49 UTC+0000
0xb962c400         UDPv4    0.0.0.0:5004                   *:*                                   3896     wmpnetwk.exe   2023-12-18 15:58:49 UTC+0000
0xb962c400         UDPv6    :::5004                        *:*                                   3896     wmpnetwk.exe   2023-12-18 15:58:49 UTC+0000
0xb962ebb0         UDPv4    0.0.0.0:5005                   *:*                                   3896     wmpnetwk.exe   2023-12-18 15:58:49 UTC+0000
0xb962ebb0         UDPv6    :::5005                        *:*                                   3896     wmpnetwk.exe   2023-12-18 15:58:49 UTC+0000
<SNIP>

Volatility 3:

szczygielka@hacks$ python3 vol.py -f KnightSquad.DMP windows.netscan
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished                                
Offset  Proto   LocalAddr       LocalPort       ForeignAddr     ForeignPort     State   PID     Owner   Created

0xb90dce00      UDPv4   0.0.0.0 3702    *       0               1392    svchost.exe     2023-12-18 15:57:03.000000 
0xb9232d90      UDPv4   0.0.0.0 0       *       0               1432    mfemms.exe      2023-12-18 15:56:56.000000 
0xb9232d90      UDPv6   ::      0       *       0               1432    mfemms.exe      2023-12-18 15:56:56.000000 
0xb9236ac0      UDPv4   0.0.0.0 0       *       0               1432    mfemms.exe      2023-12-18 15:56:56.000000 
0xb92cc8a0      UDPv4   10.0.2.15       138     *       0               4       System  2023-12-18 15:56:57.000000 
0xb92ce840      UDPv4   10.0.2.15       137     *       0               4       System  2023-12-18 15:56:57.000000 
0xb92d4010      TCPv4   10.0.2.15       139     0.0.0.0 0       LISTENING       4       System  -
0xb92ec010      UDPv4   0.0.0.0 0       *       0               1092    svchost.exe     2023-12-18 15:56:57.000000 
0xb92ec010      UDPv6   ::      0       *       0               1092    svchost.exe     2023-12-18 15:56:57.000000 
0xb9480480      UDPv4   0.0.0.0 51204   *       0               1392    svchost.exe     2023-12-18 15:56:53.000000 
0xb9497bb0      UDPv4   0.0.0.0 51205   *       0               1392    svchost.exe     2023-12-18 15:56:53.000000 
0xb9497bb0      UDPv6   ::      51205   *       0               1392    svchost.exe     2023-12-18 15:56:53.000000 
0xb94ebc80      TCPv4   0.0.0.0 445     0.0.0.0 0       LISTENING       4       System  -
0xb94ebc80      TCPv6   ::      445     ::      0       LISTENING       4       System  -
0xb9542cd0      TCPv6   ::1     49181   ::1     2869    CLOSED  -       -       -
0xb95d5010      UDPv4   0.0.0.0 3702    *       0               1392    svchost.exe     2023-12-18 15:57:03.000000 
0xb961d780      UDPv4   0.0.0.0 5004    *       0               3896    wmpnetwk.exe    2023-12-18 15:58:49.000000 
0xb96287b0      UDPv4   0.0.0.0 5005    *       0               3896    wmpnetwk.exe    2023-12-18 15:58:49.000000 
0xb962c400      UDPv4   0.0.0.0 5004    *       0               3896    wmpnetwk.exe    2023-12-18 15:58:49.000000 
0xb962c400      UDPv6   ::      5004    *       0               3896    wmpnetwk.exe    2023-12-18 15:58:49.000000 
0xb962ebb0      UDPv4   0.0.0.0 5005    *       0               3896    wmpnetwk.exe    2023-12-18 15:58:49.000000 
0xb962ebb0      UDPv6   ::      5005    *       0               3896    wmpnetwk.exe    2023-12-18 15:58:49.000000
<SNIP>

The machine's IP address is 10.0.2.15.

Flag:

KCTF{10.0.2.15}

4. Note - My boss has written something in the text file. Could you please help me find it?

Let's assume that may be a plain text file, i.e. a .txt file. Let's start by searching for all files of this type using filescan functionality.

Volatility 2:

szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 filescan | grep ".txt"
Volatility Foundation Volatility Framework 2.6.1
0x00000000b9ba7bb0     16      0 R--rw- \Device\HarddiskVolume2\Users\siam\Documents\text2.txt
0x00000000b9d1ef20     16      0 R--rw- \Device\HarddiskVolume2\Users\siam\Documents\text.txt
0x00000000bbd7f950      1      1 -W-rw- \Device\HarddiskVolume2\Users\siam\AppData\Local\Temp\FXSAPIDebugLogFile.txt

Volatility 3:

szczygielka@hacks$ python3 vol.py -f KnightSquad.DMP windows.filescan | grep ".txt"
0xb9ba7bb0 100.0\Users\siam\Documents\text2.txt 216
0xb9d1ef20      \Users\siam\Documents\text.txt  216
0xbbd7f950      \Users\siam\AppData\Local\Temp\FXSAPIDebugLogFile.txt   216

Based on the output information, we can suspect that it is the text2.txt file or the text.txt file. To recover a single file, we have to use the address of this file returned in the previous command. Let's try to recover the text2.txt file first.

Volatility 2

In case of use the Volatility 2, we must specify the path where the recovered file will be saved:

szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 dumpfiles -Q 0x00000000b9ba7bb0 -D .
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0xb9ba7bb0   None   \Device\HarddiskVolume2\Users\siam\Documents\text2.txt

Volatility 3

In case of use the Volatility 3, it is not necessary to provide the output path:

szczygielka@hacks$ vol.py -f KnightSquad.DMP windows.dumpfiles --physaddr 0xb9ba7bb0 
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished                                
Cache   FileObject      FileName        Result

DataSectionObject       0xb9ba7bb0      text2.txt       file.0xb9ba7bb0.0xfa8004edf270.DataSectionObject.text2.txt.dat

The file text2.txtwas recovered successfully. After opening it, we can see that part of the first line is encoded in Base64:

After decoding the string from Base64, we get the flag:

szczygielka@hacks$ base64 -d <<< S0NURntSZXNwZWN0X1kwdXJfSGVyNG5raX0=                       
KCTF{Respect_Y0ur_Her4nki}

Flag:

KCTF{Respect_Y0ur_Her4nki}

5. Execution - My leader, Noman Prodhan, executed something in the cmd of this infected machine. Could you please figure out what he actually executed?

To solve this task, the following information from HackTricks will be helpful:

Commands entered into cmd.exe are processed by conhost.exe (csrss.exe prior to Windows 7). So even if an attacker managed to kill the cmd.exe prior to us obtaining a memory dump, there is still a good chance of recovering history of the command line session from conhost.exe’s memory. If you find something weird (using the console’s modules), try to dump the memory of the conhost.exe associated process and search for strings inside it to extract the command lines.

Volatility 2

In the Volatility 2 there are at least 3 commands related to a command line, they are:

cmdline
cmdscan
consoles

We will check the output of each of them, because their results may be useful also in solving the Path of the Execution task. For the cmdline and cmdscan commands, we want to find all the results for the conhost.exe process.

The cmdline command

Let's use the cmdline command to search for the conhost.exe process:

szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 cmdline | grep "conhost.exe"
Volatility Foundation Volatility Framework 2.6.1
conhost.exe pid:   2348
Command line : \??\C:\Windows\system32\conhost.exe "-1209142271685361894-531425533-402668515-715241983-586801334-1893083562-2146092597
conhost.exe pid:   4888
Command line : \??\C:\Windows\system32\conhost.exe "-943315145667469034-835458599-11439838731992957646818159495-191605888-1892123205
conhost.exe pid:   4580
Command line : \??\C:\Windows\system32\conhost.exe "1094193548945927055-9018413218307182252079099763-884703563-73234193-284509992

In this case, this command returned the PIDs of the conhost.exe processes. With PIDs, we can dump the memory of each process, and then search for strings in them, hoping to find commands or other interesting strings (we will do this in Volatility 3).

The cmdscan command

In this case, we can see 2 commands that were executed in the console:

szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 cmdscan
Volatility Foundation Volatility Framework 2.6.1
**************************************************
CommandProcess: conhost.exe Pid: 4888
CommandHistory: 0x2df850 Application: ModuleCoreService.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
**************************************************
CommandProcess: conhost.exe Pid: 4580
CommandHistory: 0x8ebe0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 @ 0x679d0: C:\Users\siam\Documents\windows.bat
Cmd #1 @ 0x6d340: C:\Users\siam\Desktop\NotMyFault\notmyfault64.exe /crash
Cmd #15 @ 0x50158: 
Cmd #16 @ 0x8dd50:

The output indicates that for the process with PID 4580, we can see that two commands have been executed. As in the case of the cmdlinecommand, we can dump the process memory and search for strings.

The consoles command

The consoles command displays the entire screen buffer (input and output), not just the command typed in the console. In this case, it turned out to be significant. After executing the consolescommand, we get the flag. This is because the flag was returned in the output of the executed script windows.bat:

szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 consoles                     
Volatility Foundation Volatility Framework 2.6.1
**************************************************
ConsoleProcess: conhost.exe Pid: 4888
Console: 0xffdf6200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
Title: C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
AttachedProcess: ModuleCoreServ Pid: 4880 Handle: 0x60
----
CommandHistory: 0x2df850 Application: ModuleCoreService.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
----
Screen 0x2d0bb0 X:80 Y:300
Dump:

**************************************************
ConsoleProcess: conhost.exe Pid: 4580
Console: 0xffdf6200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\system32\cmd.exe
Title: C:\Windows\system32\cmd.exe
AttachedProcess: cmd.exe Pid: 2656 Handle: 0x60
----
CommandHistory: 0x8ebe0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x679d0: C:\Users\siam\Documents\windows.bat
Cmd #1 at 0x6d340: C:\Users\siam\Desktop\NotMyFault\notmyfault64.exe /crash
----
Screen 0x710b0 X:80 Y:300
Dump:
Microsoft Windows [Version 6.1.7601]                                            
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.                 
                                                                                
C:\Users\siam>C:\Users\siam\Documents\windows.bat                               
"KCTF{W3_AR3_tH3_Kn1GHt}"                                                       
                                                                                
C:\Users\siam>C:\Users\siam\Desktop\NotMyFault\notmyfault64.exe /crash          
                                                                        
C:\Users\siam>

Volatility 3

Unfortunately Volatility 3 does not have plugins that would be equivalent to the commands cmdscan and consoles. We can only use the cmdlinecommand:

szczygielka@hacks$ python3 vol.py -f KnightSquad.DMP windows.cmdline | grep "conhost.exe"
2348ressconhost.exe     \??\C:\Windows\system32\conhost.exe "-1209142271685361894-531425533-402668515-715241983-586801334-1893083562-2146092597
4888    conhost.exe     \??\C:\Windows\system32\conhost.exe "-943315145667469034-835458599-11439838731992957646818159495-191605888-1892123205
4580    conhost.exe     \??\C:\Windows\system32\conhost.exe "1094193548945927055-9018413218307182252079099763-884703563-73234193-284509992

The flag is present in each of the above processes. Since the procdump command available in Volatility 3 recovers the .exe file along with the associated DLLs, we will use the memmap command to retrieve it. For example, let's dump the process with PID number 4888:

szczygielka@hacks$ python3 vol.py -f KnightSquad.DMP windows.memmap --pid 4888 --dump

Using strings on the dumped process we get the flag:

szczygielka@hacks$ strings -a pid.4888.dmp | grep "KCTF{" 
echo "KCTF{W3_AR3_tH3_Kn1GHt}"
KCTF{S00ry_Hacker_You_are_wrong}
KCTF{NO-NO-NoTHis-isnot}

Flag:

KCTF{W3_AR3_tH3_Kn1GHt}

6. Path of the Executable - What is the path folder of the executable file which execute privious flag?

Volatility 2

In the task Execution, in the output of executing the cmdscan and consoles commands in Volatility 2, there was a full path of the executed windows.bat script, that is:

\Users\siam\Documents\windows.bat

Flag:

KCTF{\Users\siam\Documents}

7. Malicious - What is the malicious software name?

Let's remind the content of the first task:

My boss, Muhammad, sent me this dump file of a memory. He told me that this OS has a malware virus that runs automatically. I need to find some more information about this OS, and the hacker also created some files in this OS. He gave me a task to solve this within 24 hours. I am afraid. Will you please help me? My boss sent some questions; please solve them on my behalf. There are total 7 challenges in this series. Best of luck.

So we are most likely looking for some malware that runs automatically.

In Volatility 2 we can use the autoruns plugin to find software that runs automatically:

GitHub - tomchop/volatility-autoruns: Autoruns plugin for the Volatility frameworkGitHub

Command in Volatility 2 to check autostart files is as follows:

szczygielka@hacks$ python2 vol.py --plugins=/home/szczygielka/Downloads/OS/volatility2/volatility-autoruns-master -f KnightSquad.DMP --profile=Win7SP1x64 autoruns
Volatility Foundation Volatility Framework 2.6.1


Autoruns==========================================

Hive: \SystemRoot\System32\Config\SOFTWARE 
    Microsoft\Windows\CurrentVersion\Run (Last modified: 2022-10-06 21:56:19 UTC+0000)
        %SystemRoot%\system32\VBoxTray.exe : VBoxTray (PIDs: 3576)

Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 
    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:48 UTC+0000)
        %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun : Sidebar (PIDs: )

Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 
    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2009-07-14 04:45:47 UTC+0000)
        %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun : Sidebar (PIDs: )

Hive: \??\C:\Users\siam\ntuser.dat 
    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2023-12-18 08:20:02 UTC+0000)
        Danger                         :  (PIDs: )

Hive: \??\C:\Users\siam\ntuser.dat 
    Software\Microsoft\Windows\CurrentVersion\Run (Last modified: 2023-12-18 08:20:02 UTC+0000)
        C:\Users\ezyzip\MadMan.exe     : Danger (PIDs: )

Hive: \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 
    Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2011-12-20 12:57:28 UTC+0000)
        C:\Windows\System32\mctadmin.exe : mctadmin (PIDs: )

Hive: \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 
    Software\Microsoft\Windows\CurrentVersion\RunOnce (Last modified: 2011-12-20 12:57:38 UTC+0000)
        C:\Windows\System32\mctadmin.exe : mctadmin (PIDs: )
<SNIP>

The MadMan.exe file looks quite suspicious. To dump the suspicious MadMan.exe file, we need its location in memory. We can check it with the command:

szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 filescan | grep "MadMan.exe"
Volatility Foundation Volatility Framework 2.6.1
0x00000000b9892a10      2      0 R--rwd \Device\HarddiskVolume2\Users\ezyzip\MadMan.exe
0x00000000b9894c00     16      0 R--r-d \Device\HarddiskVolume2\Users\ezyzip\MadMan.exe

For the second returned address, we get the actual MadMan.exe executable. Command to dump the MadMan.exe file:

szczygielka@hacks$ python2 vol.py -f KnightSquad.DMP --profile=Win7SP1x64 dumpfiles -Q 0x00000000b9894c00 -D.

After uploading the MadMan.exe file or its hash for analysis at VirusTotal, we can see that the file is malicious:

Flag:

KCTF{MadMan.exe}