Investigating Windows 2.0 — TryHackMe

Investigating Windows 2.0

This is a Walkthrough for TryHackeMe’s room named “Investigating Windows 2.0”.This room can be found here:

Brief Introduction of Tools used


Yara is the pattern matching swiss knife for malware researchers which can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file.


Free open source IOC (Indicator of Compromise) scanner

Now on to the questions.

What registry key contains the same command that is executed within a scheduled task?

Open Task Scheduler via Run (CTRL+R) and then type taskschd.msc . You will notice an entry called GameOver. This task is running an exe named mim.exe . Now open Autoruns from C:\Users\Administrator\Desktop\Tools\SysinternalSuite . Here you will notice a registry entry associated with this mim.exe


What analysis tool will immediately close if/when you attempt to launch it?

From SysinternalSuite folder, if we open procexp64.exe it closes immediately.


What is the full WQL Query associated with this script?

Run loki.exefrom C:\Users\Administrator\Desktop\Tools\loki_0.33.0\loki folder, you will see the WQL query.

SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = ‘procexp64.exe’


What is the script language?


What is the name of the other script?

From the above output: LaunchBeaconingBackdoor

Also from C:\TMP\WMIBackdoor.ps1 :


What is the name of the software company visible within the script?

from C:\TMP\WMIBackdoor.ps1 : Motobit Software


What 2 websites are associated with this software company? (answer, answer)

Search online for the name of the script from Q5 and one of the websites from the previous answer. What attack script comes up in your search?

Searching then gives is this script: WMIBackdoor.ps1


What is the location of this file within the local machine?

WMIBackdoor.ps1 is located in C:\TMP on the local machine.

Which 2 processes open and close very quickly every few minutes? (answer, answer)

If you observer carefully two windows will pop up every few minutes mainly:


This can also be confirmed via the Task Scheduler:

Task Scheduler

What is the parent process for these 2 processes?


When mim.exe runs,just press anywhere inside that command prompt window. This will force the process not to exit and we can see it’s process id via the Task Manager.Now use the following command to find the parent process id and name for mim.exe

wmic process get processid,parentprocessid,executablepath | find “Process ID”
Parent Process ID

What is the first operation for the first of the 2 processes?

We can use Process Monitor ProcMon64.exeavailable here C:\Users\Administrator\Desktop\Tools\SysinternalSuite to monitor what mim.exe is doing. We can put the filter with the Process Name and can check that the first operation is “Process Start”.

Process Monitor

Inspect the properties for the 1st occurrence of this process. In the Event tab what are the 4 pieces of information displayed? (answer, answer, answer, answer)

From the last snapshot: Parent PID,Command line,Current directory,Environment

Inspect the disk operations, what is the name of the unusual process?

Locate and open Process Hacker 2 from C:\Users\Administrator\Desktop\Tools folder.Look under the Disk Tab and notice an unusual process named “No process”.

Process Hacker

Run Loki. Inspect the output. What is the name of the module after `Init`?

For this we need to run Loki with while dumping the output to the Logfile.

loki with logfile

loki.exe -l log.txt

Then from log.txt, we can see name of the module after Init is “WMIScan”.


Regarding the 2nd warning, what is the name of the eventFilter?

Run loki.exefrom C:\Users\Administrator\Desktop\Tools\loki_0.33.0\loki folder. Notice the 2 WARNING.The name of event filter is “ProcessStartTrigger”.


For the 4th warning, what is the class name?

The class name for the 4th warning is “__FilterToConsumerBinding”


What binary alert has the following 4d5a90000300000004000000ffff0000b8000000 as FIRST_BYTES?

These FIRST_BYTES are from binary “nbtscan.exe”


According to the results, what is the description listed for reason 1?

From the snapshot of the last question we can see the description(DESC) as “ Known Bad / Dual use classics”

Which binary alert is marked as APT Cloaked?

From the output of loki.exe the binary which is marked as APT cloaked is “p.exe”. This is actually PSExec.exe.


What are the matches? (str1, str2)

From the above snapshot the matches are: psexesvc.exe, Sysinternals PsExec

Which binary alert is associated with somethingwindows.dmp found in C:\TMP?

From the output of loki.exe binary alert associated with somethingwindows.dmp is from file “schtasks-backdoor.ps1”


Which binary is encrypted that is similar to a Trojan?

From the output of loki.exe binary “xCmd.exe” is encrypted which is similar to a Trojan.


There is a binary that can masquerade itself as a legitimate core Windows process/image. What is the full path of this binary?

From the output of loki.exe the binary which is masquerading as a windows core process svchost.exe is C:\Users\Public\svchost.exe


What is the full path location for the legitimate version?

The legitimate version of svchost.exe is C:\Windows\System32


What is the description listed for reason 1?

As the svchost.exe from the above trace is running from a non standard location, the REASON_1 is “Stuff running where it normally shouldn’t”

There is a file in the same folder location that is labeled as a hacktool. What is the name of the file?

From the output of loki.exe the file name is “en-US.js” which is also in the same folder C:\Users\Public


What is the name of the Yara Rule MATCH?

From the last answer Yara Rule MATCH is “CACTUSTORCH”

Which binary didn’t show in the Loki results?

We didn’t see “mim.exe” in the Loki results, which is periodically running via the Task Scheduler.

Complete the yar rule file located within the Tools folder on the Desktop. What are 3 strings to complete the rule in order to detect the binary Loki didn’t hit on? (answer, answer, answer)

So we need to complete the following yar rule in test.yar file in the Tools folder:

yara rule

From the YARA room we know that we can use strings to search for specific text or hexadecimal in files or programs. So here we need to figure out these strings from “mim.exe” which is available in C:\TEMP directory. We can use strings64.exe which is already available here C:\Users\Administrator\Desktop\Tools\SysinternalSuite and can find out our patterns as we already know the lengths of the strings required in the yara rules using findstr and regex.

strings64.exe C:\TMP\mim.exe | findstr “^…..1$”
strings64.exe C:\TMP\mim.exe | findstr “^….x.$”
strings64.exe C:\TMP\mim.exe | findstr “^v……..7$”


That’s it. Thanks for reading.




Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Javelin Spotlights 4iQ Innovation in a Sea of Booths

Apple warns iPhone users should update to new iOS 14.8 ASAP

Apple warns iPhone users should update to new iOS 14.8 ASAP

Taming the Beast

Who Are you…? It’s Me…!

Making The Smart Bet On Cybersecurity

Cloudbit (CDB) IEO Referral Competition — CDB Bonuses up for grabs!

Prices for Zero-Days Double and Triple in One Year

{UPDATE} Jumping Ball Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

SysInternals — The Other Way Around

Man in the Middle Attack Using Bettercap

Deep web OSINT