CTFtime.org / CrewCTF 2023 / Attaaaaack5 / Writeup

# Attaaaaack5

## Background

Q5. What is the another process that is related to this process and it's strange ?

example : crew{spotify.exe}

Author : 0xSh3rl0ck

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230710142844.png)

## Find the flag

In Attaaaaack4, we found that the `runddl32.exe` is sussy.

**Then, we can use its PID to track down which Parent PID (PPID) is the same as the `runddl32.exe` PID:**
```
0x84398998 runddl32.exe 300 2876 10 2314 1 0 2023-02-20 19:03:40 UTC+0000
0x84390030 notepad.exe 2556 300 2 58 1 0 2023-02-20 19:03:41 UTC+0000
```

Found it!

- **Flag: `crew{notepad.exe}`**

Original writeup (https://siunam321.github.io/ctf/CrewCTF-2023/Forensics/Attaaaaack1-13/#attaaaaack5).

Attaaaaack5

Comments

Sign in with