challenge info  
Name: Pr3
Category: Forensics
Difficulty: Medium
Points: 100
Link: CyberHackathon

   

Description

Hello my friend I’m sure my PC infected by malicious program. Can you locate where that program was?

Flag Format: Flag{**************}

Approach

We have a 7z file containing many prefetch files. Utilizing PECmd from Eric Zimmerman, we can generate a single CSV file from all the prefetch files.

After downloading the tool, we can use it to produce a CSV file.

PECmd.exe -d "C:\Users\asads\Downloads\PECmd" --csv "C:\Users\asads\PECmd"

 

Untitled

Legitimate dllhost.exe runs only from System32. Other locations point to an imposter. And indeed, it turned out to be one.

 

  flag   Flag{\USERS\WORK\APPDATA\LOCAL\TEMP\DLLH0ST.EXE}