astronaut
Logbook
Web Security • Research • CTF
Menu →
Home Blog Research Tags About Explore →
Jan 03, 2026

Artifact Of Dangerous Sighting

Created: January 9, 2025 3:54 AM

#vhdx #log for
for

Created: January 9, 2025 3:54 AM

Note

💡

Hint: VHDX, security logs.

  • Open Event Viewer, search for process powershell.exe ⇒ detect tasks/hidden.ps1.
  • Open file hidden.ps1 ⇒ base64 decode.
Note

💡

${[~@} = $();
${!!@!!]} = ++${[~@};
${[[!} = --${[~@} + ${!!@!!]} + ${!!@!!]};
${~~~]} = ${[[!} + ${!!@!!]};
${[!![!} = ${[[!} + ${[[!};
${(~(!} = ${~~~]} + ${[[!};
${!~!))} = ${[!![!} + ${[[!};
${((!} = ${!!@!!]} + ${[!![!} + ${[[!};
${=!!@!!}  = ${~~~]} - ${!!@!!]} + ${!~!))};
${!=} =  ${((!} - ${~~~]} + ${!~!))} - ${!!@!!]};
${=@!~!} = ""("$(@{})"[14]+"$(@{})"[16]+"$(@{})"[21]+"$(@{})"[27]+"$?"[1]+"$(@{})"[3]);
${=@!~!} = "$(@{})"[14]+"$?"[3]+"${=@!~!}"[27];
${@!=} = "["+"$(@{})"[7]+"$(@{})"[22]+"$(@{})"[20]+"$?"[1]+"]";

echo ${[~@};
echo ${!!@!!]};
echo ${[[!};
echo ${~~~]};
echo ${[!![!};
echo ${(~(!};
echo ${!~!))};
echo ${((!};
echo ${=!!@!!};
echo ${!=};
echo ${=@!~!};01
echo ${@!=};0

image.png

  • Thay đổi file encrypt, deobfuscate lần nữa:
"[Char]35 + [Char]35 + [Char]35 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]43 + [Char]32 + [Char]32 + [Char]46 + [Char]10 + [Char]35 + [Char]35 + [Char]35 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]58 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]46 + [Char]32 + [Char]58 + [Char]46 + [Char]32 + [Char]46 + [Char]95 + [Char]95 + [Char]95 + [Char]45 + [Char]45 + [Char]45 + [Char]45 + [Char]45 + [Char]45 + [Char]45 + [Char]45 + [Char]45 + [Char]95 + [Char]95 + [Char]95 + [Char]46 + [Char]10 + [Char]35 + [Char]35 + [Char]35 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]58 + [Char]46 + [Char]58 + [Char]46 + [Char]32 + [Char]95 + [Char]34 + [Char]46 + [Char]94 + [Char]32 + [Char]46 + [Char]94 + [Char]32 + [Char]94 + [Char]46 + [Char]32 + [Char]32 + [Char]39 + [Char]46 + [Char]46 + [Char]32 + [Char]58 + [Char]34 + [Char]45 + [Char]95 + [Char]46 + [Char]32 + [Char]46 + [Char]10 + [Char]35 + [Char]35 + [Char]35 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]58 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]32 + [Char]46 + [Char]58 + [Char]46 + [Char]46 + [Char]47 + [Char]58 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]46 + [Char]32 + [Char]46 + [Char]94 + [Char]32 + [Char]32 + [Char]58 + [Char]46 + [Char]58 + [Char]92 + [Char]46 + [Char]10 + [Char]35 + [Char]35 + [Char]35 + [Char]32 + [Char]32 + [Char]32 + [Char]32 + [Char]....

image.png

← Back to list Home →