Tags: forensics memorydump volatility darkcomet
Rating:
# Attaaaaack11
## Background
Q11. can you find the key name and it's value ?
example : crew{CurrentVersion_ProductName}
Author : 0xSh3rl0ck
## Find the flag
**When I was searching ""test213.no-ip.info" keylogger" in Attaaaaack9, I also came across with [this Jupyter note](https://notebook.community/adricnet/dfirnotes/examples/Rekall%20demo%20-%20DarkComet%20analysis%20by%20TekDefense%20-%20Jupyter%20slides):**
**In there, the memory dump's registry key has something weird:**
```shell
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.09|13:05:47(HKT)]
└> python2 /opt/volatility/vol.py --profile=Win7SP1x86_23418 -f memdump.raw printkey -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Volatility Foundation Volatility Framework 2.6.1
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \??\C:\Users\0xSh3rl0ck\ntuser.dat
Key name: Run (S)
Last updated: 2023-02-20 19:03:40 UTC+0000
Subkeys:
Values:
REG_SZ MicroUpdate : (S) C:\Users\0XSH3R~1\AppData\Local\Temp\MSDCSC\runddl32.exe
----------------------------
Registry: \REGISTRY\USER\S-1-5-20
Key name: Run (S)
Last updated: 2009-07-14 04:34:14 UTC+0000
[...]
```
The `HKCU` `Run` key has a value called `MicroUpdate`.
- **Flag: `crew{Run_MicroUpdate}`**
