One of the SOC analysts took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.
What is the SHA1 hash of triage.mem (memory dump)?
What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)
What was the process ID of notepad.exe?
Name the child process of wscript.exe.
What was the IP address of the machine at the time the RAM dump was created?
Based on the answer regarding the infected PID, can you determine the IP of the attacker?
How many processes are associated with VCRUNTIME140.dll?
After dumping the infected process, what is its md5 hash?
What is the LM hash of Bob's account?
What memory protection constants does the VAD node at 0xfffffa800577ba10 have?
What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)
An application was run at 2019-03-07 23:06:58 UTC. What is the name of the program? (Include extension)
What was written in notepad.exe at the time when the memory dump was captured?
What is the short name of the file at file record 59045?
This box was exploited and is running meterpreter. What was the infected PID?