MINAF (Ministerio de la Alegria y la Felicidad, Ministry of Joy and Happiness) is an (obviously) ficticious spanish government body in charge of keeping Spanish people tradicional cheerful character.

But happiness is at risk in MINAF headquarters. On November 3, around 11:00 AM (Madrid timezone, UTC+1) Mary Happy (MINAF's Director of Celebrations) calls IT: her email is "acting funny". Some messages are appearing as read (and she swears that she did not read them). An IT sysadmin does a general check without finding anything strange in Mary Happy's computer ... but when they check the email server logs they find some accesses from a suspicious IP.

The IT sysadmin raises and alert and cibersecurity takes charge. They quickly locate 6 other accounts accessed by the suspicious IP, all belonging to senior MINAF management personnel. A security incident is declared, and further analysis locate "patient zero": Joe Pleased (MINAF's deputy Director of Delight) is the first account accessd by the suspicious IP.

Evidences
MINAF sysadmin gives you these evidences:

Joe Pleased's RAM dump: MINAF-PC1.zip
Joe Pleased's Triage data: MINAF-PC1_Triage.zip

* Here you have the hashes for all the collected evidence: hashes.txt

The RAM dump has been taken with winpmem .The triage data has been obtained using CyLR.

Basic Info
MINAF information systems are pretty standard: endpoints with Windows 7 (SP1, 64bits), and several Windows 2008 R2 Servers. Best security practices are observed in MINAF's information systems: every server and endpoint have an antivirus and has updated security patches.

Your task
Answer all the challenges and help MINAF solve its security incident.

[Note1]: The flags are all case-insensitive and must be answered in plaintext (oldschool guy here).

Make MINAF happy again!

Made by
This challenge has been made by Antonio Sanz (@antoniosanzalc), with support from DIEC (Telecommunications Engineering Department) at University of Zaragoza. Extra large thanks go to José Luis Salazar (crypto man) and Alvaro Alesanco (network and medical devices security guy), professors from DIEC/Unizar for their support.

Play, learn, share & have fun!