What was the command used with the malicious explorer.exe? Submit the entire command as the flag: flag{program.exe --options argument}.

Use the file from Captured Memories.


From the previous challenge, Evil Twin, I knew there were two suspicious explorer.exe processes, PIDS 5448 and 3100. I used Volatility3’s CmdLine plugin to extract the command line arguments from each process:

$ -qf mem.raw windows.cmdline.CmdLine --pid 5448

5448	explorer.exe	explorer.exe  -lnvp 6666

$ -qf mem.raw windows.cmdline.CmdLine --pid 3100

3100	explorer.exe	explorer.exe 6666 -e cmd.exe

The wording of the challenge description suggests that the was a single malicious explorer.exe process when in fact there are two, so I tried submitting both and the accepted flag was, flag{explorer.exe 6666 -e cmd.exe}.



Leave a comment