# MEMORY ANALYSIS – RANSOMWARE ![](/files/a9rpxE3Oeb4hy9Z2GVqx) first we need to run the next command vol.py -f infected.vmem imageinfo after know what the profile is , we can start and analysis this memory , fisrt question is to find what is **the name of the suspicious process?** **to answer this we have two method or to write the command directly or we can do some thing smart maybe we will need it in the feture** **we can write the next commands** **vol.py** volatility -f infected.vmem --profile=Win7SP1x86 pslist > pslist.txt **vol.py** volatility -f infected.vmem --profile=Win7SP1x86 psscan > pslscan.txt ![](/files/wAEriFSD4hlJPRQjaLe6) now it's time to see what is the deference between this two files , diff pslist.txt pslscan.txt ![](/files/DhyJJdILa5b2TBIL1QF8) we can see know the answer of the first question directly ![](/files/lKSQXR9qxRkWXZAQWAER) what is the parent process ID for the **suspicious process ?** **vol.py** volatility -f infected.vmem --profile=Win7SP1x86 pstree ![ ](/files/IVbZo3kvJxABqspFeV6E) ![](/files/ab1UYWGzqhnlt7Y0GopS) What is the initial malicious executable that created this process? cat pslscan.txt | grep "2732" ![](/files/WEExCmn4EW2QXs3FwrO0) ![](/files/uzOUcde8p1T5KOE3NiBb) If you drill down on the suspicious PID (vol.py -f infected.vmem --profile=Win7SP1x86 psscan | grep (PIDhere)), find the process used to delete files ![](/files/qqYcmyKXpdrNHyItceQj) Find the path where the malicious file was first executed ? vol.py -f infected.vmem --profile=Win7SP1x86 dlllist -p 2732 or vol.py -f infected.vmem --profile=Win7SP1x86 cmdline ![](/files/pbxwuSJJpliA8OMJDh70) ![](/files/aCEqIGRpF7SMQZCCWAaF) Can you identify what ransomware it is? (Do your research!) ![](/files/asv3xagrAWp4w5BhgFnS) What is the filename for the file with the ransomware public key that was used to encrypt the private key? (.eky extension) vol.py -f infected.vmem --profile=Win7SP1x86 memdump -p 2732 --dump-dir=./ after it we can grep the key word we looking for ![](/files/SXvxVr3XzK7j3fA9mUgC) ![](/files/QywighmMqDs9cccKjkeV) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mohab-yehia.gitbook.io/blue_team_digital_fronesics/memory-analysis-ransomware.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.