Hell Spawn 1

Challenge:

What was the name of the process that spawned the malicious explorer.exe? Submit the flag as the name and extension of the process and the PID of the process, separated by an underscore: flag{process_name.ext_PID}

Use the file from Captured Memories.
Max attempts: 10

Solution:

From my analysis during the Evil Twin challenge I already knew that cmd.exe was the parent that launched the malicious explorer.exe processes.

PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime
528	424	wininit.exe	0x87868f2e1080	1	-	0	False	2020-06-26 15:07:45.000000 	N/A
* 648	528	services.exe	0x87868f2e1080	6	-	0	False	2020-06-26 15:07:46.000000 	N/A
** 4448	648	SearchIndexer.	0x87868f2e1080	23	-	0	False	2020-06-26 15:09:31.000000 	N/A
*** 3944	4448	cmd.exe	0x87868f2e1080	0	-	0	False	2020-06-26 15:37:19.000000 	2020-06-26 15:44:33.000000 
**** 5448	3944	explorer.exe	0x87868f2e1080	1	-	0	True	2020-06-26 15:43:14.000000 	N/A
*** 4424	4448	cmd.exe	0x87868f2e1080	1	-	0	False	2020-06-26 15:46:51.000000 	N/A
**** 3100	4424	explorer.exe	0x87868f2e1080	5	-	0	True	2020-06-26 15:48:21.000000 	N/A
***** 4640	3100	cmd.exe	0x87868f2e1080	1	-	0	True	2020-06-26 15:48:21.000000 	N/A

Similar to the Commands commands challenge, the wording in the description suggests that the was a single malicious explorer.exe process when in fact there are two, so I tried submitting both and the accepted flag was, flag{cmd.exe_3944}. Confusingly, this wasn’t the process that the Commands challenge considered the “malicious explorer.exe”.

Published:

Updated:

Leave a comment