• Who created Redline? 

Answer : FireEye

• What data collection method takes the least amount of time?

As we can read in the text : Standard Collector

Answer : Standard Collector

• You are reading a research paper on a new strain of ransomware. You want to run the data collection on your computer based on the patterns provided, such as domains, hashes, IP addresses, filenames, etc. What method would you choose to run a granular data collection against the known indicators?

Answer : IOC Search Collector

• What script would you run to initiate the data collection process? Please include the file extension.
  

Answer : RunRedlineAudit.bat

• If you want to collect the data on Disks and Volumes, under which option can you find it?
  

Answer : disk enumeration

• What cache does Windows use to maintain a preference for recently executed code?

As per User Guide and looking for "Cache" keyword :

Answer : Prefetch

• Where in the Redline UI can you view information about the Logged in User?

 

Answer : system information

• Provide the Operating System detected for the workstation.
  

Answer : Windows Server 2019 Standard 17763

• Provide the BIOS Version for the workstation.
  

Answer : Xen 4.2.amazon

• What is the suspicious scheduled task that got created on the victim's computer? 
  

Answer : MSOfficeUpdateFa.ke

• Find the message that the intruder left for you in the task.

Answer : THM-p3R5IStENCe-m3Chani$m

• There is a new System Event ID created by an intruder with the source name "THM-Redline-User" and the Type "ERROR". Find the Event ID #.

Go to event log then search source name in the filter :

Answer : 546

• Provide the message for the Event ID.

Answer : Someone cracked my password. Now I need to rename my puppy-++-

• It looks like the intruder downloaded a file containing the flag for Question 8. Provide the full URL of the website.

Answer : https://wormhole.app/download-stream/gI9vQtChjyYAmZ8Ody0AuA

• Provide the full path to where the file was downloaded to including the filename.

Answer : C:\Program Files (x86)\Windows Mail\SomeMailFolder\flag.txt

• Provide the message the intruder left for you in the file.

Answer : THM{600D-C@7cH-My-FR1EnD}

• What is the actual filename of the Keylogger?

Answer : psylog.exe

• What filename is the file masquerading as?
  

Answer : THM1768.exe

• Who is the owner of the file?
  

Answer : WIN-2DET5DP0NPT\charles

• What is the file size in bytes?
  

Answer : 35400

Provide the full path of where the .ioc file was placed after the Redline analysis, include the .ioc filename as well

Answer : c:\charles\Desktop\Keylogger-IOCSearch\IOCs\keylogger.ioc

•  Can you identify the product name of the machine?
  

Product name will be in the "system information" tab :

 

Answer : Windows 7 Home Basic

• Can you find the name of the note left on the Desktop for the "Charles"?

I searched trhough "file system" then "users\charles\desktop" :

Answer : _R_E_A_D__T_H_I_S__AJYG1O_.txt

• Find the Windows Defender service; what is the name of its service DLL?
  

Gone to "Windows services" then searched for "windef" name :

Then double clicked on the "Windefend" service to view the properties :

Answer : MpSvc.dll

• The user manually downloaded a zip file from the web. Can you find the filename?
  

Looked into file system > download for Charles :

Answer : eb5489216d4361f9e3650e6a6332f7ee21b0bc9f3f3a4018c69733949be1d481.zip

• Provide the filename of the malicious executable that got dropped on the user's Desktop.
  

Answer : [email protected]

• Provide the MD5 hash for the dropped malicious executable.
  

Double clicked on this item :

Answer : fe1bc60a95b2c2d77cd5d232296a7fa4

• What is the name of the ransomware?

Name of the .exe file !

Answer : Cerber

• Read the above. 

No Answer.