← All Challenges

Silent Locker

Forensics 200 pts standard
Challenge Description

An endpoint was isolated before full encryption. You must reconstruct the attack chain from mixed host artifacts and recover the key indicators.

Identify (after filtering decoys):

  1. Initial access vector.
  2. Real C2 domain used by locker client.
  3. Encryptor sample short hash.
  4. Timestamp of first malicious PowerShell spawn (UTC, exact).

Flag format: HackCTF{...}

Files
↓ decoy_network_iocs.txt ↓ memory_strings.txt ↓ mft_timeline.csv ↓ mixed_case_telemetry.log ↓ noise.log ↓ noise_expanded.log ↓ security_log.txt ↓ sysmon_events.csv
Hints
View Hint : Hint
  1. Follow the parent-child chain before trusting IoC lists.
  2. One provided network IoC file is intentionally noisy.
  3. Use exact UTC format for timestamp in the flag.
Submit Flag

Login to submit a flag.