3615 Incident (1)

Catégorie: Forensique

Points: 127

Description: Une victime de plus tombée sous le coup d’un rançongiciel. Le paiement de la rançon n’est pas envisagée vu le montant demandé. Vous êtes appelé pour essayer de restaurer les fichiers chiffrés. Une suite d’éléments est nécessaire pour avancer dans l’investigation et constituer le rapport d’incident. Pour commencer, quel est le nom du fichier exécutable de ce rançongiciel, son identifiant de processus et quel est devenu le nom du fichier flag.docx une fois chiffré ? Donnez le SHA1 de ce nom avec son extension. Note : l’image disque fait environ 440 Mo compressée et environ 1.4 Go décompressée. Réponse attendue au format ECSC{nom_du_rançongiciel.exe:PiD:sha1}.

Fichiers: mem.dmp


Pour savoir ce qui s'est passe on regarde les commandes qui ont ete exécutés. Cela nous permet d'identifier les informations nécessaires à la reconstitution du flag.


Tout d'abord on regarde face à quel type de fichier on se trouve.

>_ file mem.dmp
mem.dmp: MS Windows 64bit crash dump, full dump, 344794 pages

On a un dump de mémoire Windows. Allons voir plus en détail avec Volatility ce qu'il contient.

Le premier truc à faire avec Volatility c'est imageinfo bien évidemment.

>_ volatility -f mem.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
          Suggested Profile(s) : Win10x64_17134, Win10x64_10240_17770, Win10x64_10586, Win10x64_14393, Win10x64, Win2016x64_14393, Win10x64_16299, Win10x64_15063 (Instantiated with Win10x64_15063)
                     AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
                     AS Layer2 : WindowsCrashDumpSpace64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/home/lambdhack/ctf/ecsc/forensic/3615_incident/mem.dmp)
                      PAE type : No PAE
                           DTB : 0x1ab000L
                          KDBG : 0xf801f433ba60L
          Number of Processors : 2
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff801f4394000L
                KPCR for CPU 1 : 0xffffd0012eb07000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2019-05-08 20:04:11 UTC+0000
     Image local date and time : 2019-05-08 22:04:11 +0200

Le profile Win10x64 parait le plus adapte.

Maintenant on regarde les processus en cours.

>_ volatility -f mem.dmp --profile=Win10x64 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xffffe0000f65a040 --------------------      4      0 30...6        0 ------      0 2019-05-08 19:57:03 UTC+0000                                 
0xffffe00010e4b040 ?t?                    256      4 28...4        0 ------      0 2019-05-08 19:57:03 UTC+0000                                 
0xffffe00010ef2080 ???                    360    348 30...2        0      0      0 2019-05-08 19:57:05 UTC+0000                                 
0xffffe00011302080 ?/                    472    348 28...4        0      0      0 2019-05-08 19:57:05 UTC+0000                                 
0xffffe00011305180 ?@0                    480    464 30...2        0      1      0 2019-05-08 19:57:05 UTC+0000                                 
0xffffe00011344080 ?4                    544    464 30...2        0      1      0 2019-05-08 19:57:05 UTC+0000                                 
0xffffe00011399840 0?9                    592    472 29...6        0      0      0 2019-05-08 19:57:05 UTC+0000                                 
0xffffe000113a2840 P?5                    604    472 30...8        0      0      0 2019-05-08 19:57:05 UTC+0000                                 
0xffffe000113dd480  ?=                    684    592 29...6        0      0      0 2019-05-08 19:57:05 UTC+0000                                 
0xffffe000113f2180 ?)?                    740    592 29...8        0      0      0 2019-05-08 19:57:06 UTC+0000                                 
0xffffe00011739080 ??s                    836    544 30...8        0      1      0 2019-05-08 19:57:06 UTC+0000                                 
0xffffe00011779840  ?v                    944    592 27...4        0      0      0 2019-05-08 19:57:06 UTC+0000                                 
0xffffe00011789840 `"x                    964    592 30...2        0      0      0 2019-05-08 19:57:06 UTC+0000                                 
0xffffe0001178c840 p~x                    972    592 30...6        0      0      0 2019-05-08 19:57:06 UTC+0000                                 
0xffffe0001179c840  ox                   1000    592 29...8        0      0      0 2019-05-08 19:57:06 UTC+0000                                 
0xffffe000117e0840  ?}                    296    592 28...4        0      0      0 2019-05-08 19:57:06 UTC+0000                                 
0xffffe000117e1080 ??}                    668    592 30...4        0      0      0 2019-05-08 19:57:06 UTC+0000                                 
0xffffe0000f685840 慈ཨ...           1036    592 29...6        0      0      0 2019-05-08 19:57:06 UTC+0000                                 
0xffffe0000f683840 m                   1216    592 30...4        0      0      0 2019-05-08 19:57:06 UTC+0000                                 
0xffffe00011617840 d                   1304    592 30...2        0      0      0 2019-05-08 19:57:06 UTC+0000                                 
0xffffe00011cc45c0 ?                      1652    592 30...4        0      0      0 2019-05-08 19:57:07 UTC+0000                                 
0xffffe00011cf1840 ???                   1712    592 29...8        0      0      0 2019-05-08 19:57:07 UTC+0000                                 
0xffffe00011cff840 ???                   1732    592 30...2        0      0      0 2019-05-08 19:57:07 UTC+0000                                 
0xffffe00011d0a840 ???                   1760    592 30...6        0      0      0 2019-05-08 19:57:07 UTC+0000                                 
0xffffe00011d1b840  J?                   1776    592 27...6        0      0      0 2019-05-08 19:57:07 UTC+0000                                 
0xffffe000115ae840 P?T                   2244    684 30...4        0      0      0 2019-05-08 19:57:09 UTC+0000                                 
0xffffe000115ac840  _\                   2308    592 26...0        0      0      0 2019-05-08 19:57:09 UTC+0000                                 
0xffffe0000f823340 ??^                   2464    592 26...0        0      0      0 2019-05-08 19:57:10 UTC+0000                                 
0xffffe0000f839840 ???                   2708    592 30...0        0      0      0 2019-05-08 19:57:10 UTC+0000                                 
0xffffe00010aba840 --------------------   2204    944 29...8        0      1      0 2019-05-08 19:57:14 UTC+0000                                 
0xffffe00011fa8840 ?m?                   2168    944 30...2        0      1      0 2019-05-08 19:57:14 UTC+0000                                 
0xffffe00012023580                    3092    684 27...2        0      1      0 2019-05-08 19:57:14 UTC+0000                                 
0xffffe00012034080 --------------------   3120    544 30...8 --------      1      0 2019-05-08 19:57:14 UTC+0000                                 
0xffffe000116e3080 ??                   3184   3120 27...6        0      1      0 2019-05-08 19:57:14 UTC+0000                                 
0xffffe00012077240 ?@                   3220    684 31...0        0      1      1 2019-05-08 19:57:14 UTC+0000                                 
0xffffe0001225b840 --------------------   3444    592 27...0        0      0      0 2019-05-08 19:57:15 UTC+0000                                 
0xffffe00011f8f7c0 --------------------   3576    684 30...6        0      1      0 2019-05-08 19:57:15 UTC+0000                                 
0xffffe000122aa840 @N?                   4452    592 30...8        0      1      0 2019-05-08 19:57:23 UTC+0000                                 
0xffffe00012620080 ?                   4812   3184 29...4        0      1      0 2019-05-08 19:57:27 UTC+0000                                 
0xffffe000125fb840 Pi^                   4916    684 29...6        0      0      0 2019-05-08 19:57:28 UTC+0000                                 
0xffffe00012774080 ??v                   3080   3184 30...8        0      1      1 2019-05-08 19:57:29 UTC+0000                                 
0xffffe000125a7840 ?;3                   4040   3184 27...0        0      1      1 2019-05-08 19:59:06 UTC+0000                                 
0xffffe000125f7840 ??-                   4896   4040 31...8        0      1      1 2019-05-08 19:59:07 UTC+0000                                 
0xffffe00010385080 @3                   4736   4040 27...0        0      1      1 2019-05-08 19:59:08 UTC+0000                                 
0xffffe00010347080 --------------------   3744   4040 27...6        0      1      1 2019-05-08 19:59:09 UTC+0000                                 
0xffffe00011196080 --------------------   3256   4040 31...4        0      1      1 2019-05-08 19:59:11 UTC+0000                                 
0xffffe00011f8b080 ?d                   5060   3444 30...2        0      0      0 2019-05-08 19:59:31 UTC+0000                                 
0xffffe000127446c0 --------------------   5084   4040 30...6 --------      1      1 2019-05-08 19:59:33 UTC+0000                                 
0xffffe00012155200  ??                   1360   4040 30...0        0      1      1 2019-05-08 19:59:42 UTC+0000                                 
0xffffe00012530080 ??E                   3248   4932 28...4        0      0      0 2019-05-08 19:59:43 UTC+0000                                 
0xffffe000125b8080 @TX                   3888    684 27...2        0      1      0 2019-05-08 20:00:03 UTC+0000                                 
0xffffe000126d3080 ??}                   2624    964 29...8        0      0      0 2019-05-08 20:00:15 UTC+0000                                 
0xffffe000106bb840 ?                      5208   3184 29...0        0      1      1 2019-05-08 20:00:16 UTC+0000                                 
0xffffe00010335080 ?l                   5224   5208 26...8        0      1      0 2019-05-08 20:00:16 UTC+0000                                 
0xffffe00012268100 0S?                   5444   3184 30...0        0      1      0 2019-05-08 20:00:29 UTC+0000                                 
0xffffe0001214e080 --------------------   5496   3184 27...6 --------      1      1 2019-05-08 20:00:33 UTC+0000                                 
0xffffe00012910080 ??y                   5792    592 27...6        0      0      0 2019-05-08 20:00:58 UTC+0000                                 
0xffffe00012854840 ?|
                                        5840   3184 30...4        0      1      0 2019-05-08 20:01:01 UTC+0000                                 
0xffffe000126b7840 `?@                   6100    296 29...8        0      0      0 2019-05-08 20:01:27 UTC+0000                                 
0xffffe0001287a840 ??N                   5176   3184 27...8        0      1      1 2019-05-08 20:01:49 UTC+0000                                 
0xffffe00010441600 ??n                   3192    944 30...2        0      1      0 2019-05-08 20:02:15 UTC+0000                                 
0xffffe000123e21c0 ??                   4320   3444 30...8        0      0      0 2019-05-08 20:02:52 UTC+0000                                 
0xffffe0001051c840 ??X                   5596   3184 27...8        0      1      0 2019-05-08 20:04:09 UTC+0000                                 
0xffffe0001051b080 `?`                   5364   5596 28...4        0      1      0 2019-05-08 20:04:09 UTC+0000    

C'est quoi les noms des processus ? Ils sont lisibles normalement


Ce doit être probablement à cause du rançongiciel.

Comme y a rien à en tirer on va regarder les commandes saisies dans le terminal et voir ce qu'a fait le rançongiciel.

>_ volatility -f mem.dmp --profile=Win10x64 cmdline
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug    : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
 pid:      4
?t? pid:    256
Command line : \SystemRoot\System32\smss.exe
??? pid:    360
Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
?/ pid:    472
Command line : wininit.exe
?@0 pid:    480
Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
?4 pid:    544
Command line : winlogon.exe
0?9 pid:    592
Command line : C:\Windows\system32\services.exe
P?5 pid:    604
Command line : C:\Windows\system32\lsass.exe
 ?= pid:    684
Command line : C:\Windows\system32\svchost.exe -k DcomLaunch
?)? pid:    740
Command line : C:\Windows\system32\svchost.exe -k RPCSS
??s pid:    836
Command line : "dwm.exe"
 ?v pid:    944
Command line : C:\Windows\system32\svchost.exe -k netsvcs
`"x pid:    964
Command line : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
p~x pid:    972
Command line : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
 ox pid:   1000
Command line : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
 ?} pid:    296
Command line : C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
??} pid:    668
Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
慈ཨ￿ pid:   1036
Command line : C:\Windows\system32\svchost.exe -k LocalService
m pid:   1216
Command line : C:\Windows\system32\svchost.exe -k NetworkService
d pid:   1304
Command line : C:\Windows\System32\spoolsv.exe
? pid:   1652
Command line : C:\Windows\System32\svchost.exe -k utcsvc
??? pid:   1712
Command line : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
??? pid:   1732
Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
??? pid:   1760
Command line : C:\Windows\system32\svchost.exe -k appmodel
 J? pid:   1776
Command line : "C:\Program Files\Windows Defender\MsMpEng.exe"
P?T pid:   2244
Command line : C:\Windows\system32\wbem\wmiprvse.exe
 _\ pid:   2308
Command line : C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
??^ pid:   2464
Command line : C:\Windows\System32\msdtc.exe
??? pid:   2708
Command line : "C:\Program Files\Windows Defender\NisSrv.exe"
WARNING : volatility.debug    : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
 pid:   2204
Command line : sihost.exe
?m? pid:   2168
Command line : taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
 pid:   3092
Command line : C:\Windows\System32\RuntimeBroker.exe -Embedding
WARNING : volatility.debug    : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
 pid:   3120
?? pid:   3184
Command line : C:\Windows\Explorer.EXE
?@ pid:   3220
Command line : 
WARNING : volatility.debug    : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
 pid:   3444
Command line : C:\Windows\system32\SearchIndexer.exe /Embedding
WARNING : volatility.debug    : NoneObject as string: Buffer length 0 for _UNICODE_STRING not within bounds
 pid:   3576
@N? pid:   4452
Command line : C:\Windows\System32\svchost.exe -k UnistackSvcGroup
? pid:   4812
Command line : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
Pi^ pid:   4916
Command line : C:\Windows\system32\wbem\wmiprvse.exe
??v pid:   3080
Command line : 
?;3 pid:   4040
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" 
??- pid:   4896
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.0.814670744\1990131067" -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 1332 gpu
@3 pid:   4736
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.6.134942365\347688373" -childID 1 -isForBrowser -prefsHandle 2124 -prefMapHandle 1892 -prefsLen 1 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 1980 tab
WARNING : volatility.debug    : NoneObject as string: Buffer length 47200 for _UNICODE_STRING not within bounds
 pid:   3744
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.13.1487111388\1473004279" -childID 2 -isForBrowser -prefsHandle 3132 -prefMapHandle 3136 -prefsLen 5418 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 3148 tab
WARNING : volatility.debug    : NoneObject as string: Buffer length 5136 for _UNICODE_STRING not within bounds
 pid:   3256
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.20.172274201\1384691405" -childID 3 -isForBrowser -prefsHandle 3064 -prefMapHandle 3664 -prefsLen 6288 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 3732 tab
?d pid:   5060
Command line : "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" 
WARNING : volatility.debug    : NoneObject as string: Buffer length 16096 for _UNICODE_STRING not within bounds
 pid:   5084
 ?? pid:   1360
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.34.980828210\1605638851" -childID 5 -isForBrowser -prefsHandle 5424 -prefMapHandle 4376 -prefsLen 6475 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 5368 tab
??E pid:   3248
Command line : "C:\Program Files\Windows Defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey D107B503-2934-DB76-C339-E28DEE97615C -Reinvoke
@TX pid:   3888
Command line : "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
??} pid:   2624
Command line : C:\Windows\system32\AUDIODG.EXE 0xa94
? pid:   5208
Command line : "C:\Users\TNKLSAI3TGT7O9\Downloads\assistance.exe" 
?l pid:   5224
Command line : \??\C:\Windows\system32\conhost.exe 0x4
0S? pid:   5444
Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\TNKLSAI3TGT7O9\Documents\ZmxhZy5kb2N4.chiffré
WARNING : volatility.debug    : NoneObject as string: Buffer length 16450 for _UNICODE_STRING not within bounds
 pid:   5496
??y pid:   5792
Command line : C:\Windows\system32\svchost.exe -k SDRSVC
   pid:   5840
Command line : "C:\Program Files\Windows Defender\msascui.exe"
`?@ pid:   6100
Command line : 
??N pid:   5176
Command line : "C:\Program Files (x86)\Notepad++\notepad++.exe" 
??n pid:   3192
Command line : taskhostw.exe Logon
?? pid:   4320
Command line : "C:\Windows\system32\SearchFilterHost.exe" 0 620 624 632 8192 628 
??X pid:   5596
Command line : "C:\Users\TNKLSAI3TGT7O9\DumpIt.exe" 
`?` pid:   5364
Command line : \??\C:\Windows\system32\conhost.exe 0x4

Ce qui est interessant, c'est cette partie:

 ?? pid:   1360
Command line : "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.34.980828210\1605638851" -childID 5 -isForBrowser -prefsHandle 5424 -prefMapHandle 4376 -prefsLen 6475 -prefMapSize 184586 -parentBuildID 20190507012018 -greomni "C:\Program Files (x86)\Mozilla Firefox\omni.ja" -appomni "C:\Program Files (x86)\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files (x86)\Mozilla Firefox\browser" - 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 5368 tab
??E pid:   3248
Command line : "C:\Program Files\Windows Defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey D107B503-2934-DB76-C339-E28DEE97615C -Reinvoke
@TX pid:   3888
Command line : "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
??} pid:   2624
Command line : C:\Windows\system32\AUDIODG.EXE 0xa94
? pid:   5208
Command line : "C:\Users\TNKLSAI3TGT7O9\Downloads\assistance.exe" 
?l pid:   5224
Command line : \??\C:\Windows\system32\conhost.exe 0x4
0S? pid:   5444
Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\TNKLSAI3TGT7O9\Documents\ZmxhZy5kb2N4.chiffré
WARNING : volatility.debug    : NoneObject as string: Buffer length 16450 for _UNICODE_STRING not within bounds

On remarque que firefox est lance et qu'un fichier qui se trouve dans "C:\Users\TNKLSAI3TGT7O9\Downloads\assistance.exe" est execute avec le pid 5208.

L'utilisateur a probablement telecharge le ransomware et l'a execute.

Ensuite on remarque que le fichier "C:\Users\TNKLSAI3TGT7O9\Documents\ZmxhZy5kb2N4.chiffré" est ouvert dans notepad.

Pour reconstituer le flag on a nos 3 parties:

Le nom du ransomware: assistance.exe Son PID: 5208 Le nom du fichier une fois chiffré: ZmxhZy5kb2N4.chiffré

