Tags: forensics volatility gimp memory_dump
Rating:
TLDR;
The challenge consists of a single vmem file (VM memory dump).
After some analysis, one of the things that stand out was that the mstsc.exe process was running.
After a little bit of poking around, the flag could be found in one of the images preserved in the process memory.
