3615 Incident 1/3

forensics memory windows FCSC 2019 solved on

star

Description

Yet another victim has been compromised by a ransomware. Paying the ransom is not an option, its amount is way too high. We called you to restore the encrypted files.

For this first challenge, what is the name of the binary associated with this ransomware, its PID, and what is the new name of the file flag.docx once encrypted? Give the SHA1 of this filename including its extension.

Note : The flag follows this format: ECSC{name_of_ransomware.exe:pid:sha1}.

This challenge has been split into three parts:

Files

  • mem.dmp.tar.xz
    338.19 MiB – 6003d62b4b4ecd8fb43be8802f6f429400c77a2bb082f0b7d3f93550e62babe5

Author

alx

Flag

Share my success on Fediverse, Twitter, Linkedin, Facebook, or via email.

Submit your solution

You can submit your writeup for this challenge. Read the FAQ to learn how to proceed.

You need to be logged in to submit a writeup.

Writeups

I've been looking for a long time and I still can't find the flag!

You can vote for the solutions you prefer by using the on their respective pages.

DateAuthor Language Tags Vote
2023-12-06
hashp4
🇫🇷