The Account Executive called the SOC earlier and sounds very frustrated and angry. He stated he can’t access any files on his computer and keeps receiving a pop-up stating that his files have been encrypted. You disconnected the computer from the network and extracted the memory dump of his machine and started analyzing it with Volatility. Continue your investigation to uncover how the ransomware works and how to stop it!
https://blueteamlabs.online/home/challenge/memory-analysis-ransomware-7da6c9244d
first we identify the OS using imageinfo plugin
then we use pslist and from the result we have @WanaDecryptor and or4qtckT.exe which is both suspicious
but i go with @WanaDecryptor it likely associated with WannaCry ransomware
you can see the answer from pslist but for better view we use pstree