CTFtime.org / CrewCTF 2023 / Attaaaaack4 / Writeup

# Attaaaaack4

## Background

Q4. What is the name and PID of the suspicious process ?

example : crew{abcd.exe_111}

Author : 0xSh3rl0ck

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230710142835.png)

## Find the flag

**In Attaaaaack2, we found all running processes, there's some processes look weird:**
```
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
[...]
0x84398998 runddl32.exe 300 2876 10 2314 1 0 2023-02-20 19:03:40 UTC+0000
0x84390030 notepad.exe 2556 300 2 58 1 0 2023-02-20 19:03:41 UTC+0000
0x84df2458 audiodg.exe 1556 752 6 129 0 0 2023-02-20 19:10:50 UTC+0000
0x84f1caf8 DumpIt.exe 2724 1596 2 38 1 0 2023-02-20 19:10:52 UTC+0000
[...]
```

The `runddl32.exe` is weird to me, as its name is run**ddl**, not run**dll**.

- **Flag: `crew{runddl32.exe_300}`**

Original writeup (https://siunam321.github.io/ctf/CrewCTF-2023/Forensics/Attaaaaack1-13/#attaaaaack4).

Attaaaaack4

Comments

Sign in with