THM Investigating Windows 2.0

https://tryhackme.com/room/investigatingwindows2

Writeup in progress...

The room is the 2nd out of the Investigating windows series, and I found it more challenging than the 1st room and learned more about Windows and SysInternals tools. I also had to learn about Yara and Loki. Had to ask for some help from the forum/discord.

Tasks

#1 What registry key contains the same command that is executed within a scheduled task?

#2 What analysis tool will immediately close if/when you attempt to launch it?

#3 What is the full WQL Query associated with this script?

#4 What is the script language?

#5 What is the name of the other script?

#6 What is the name of the software company visible within the script?

#7 What 2 websites are associated with this software company? (answer, answer)

#8 Search online for the name of the script from Q5 and one of the websites from the previous answer. What attack script comes up in your search?

#9 What is the location of this file within the local machine?

#10 Which 2 processes open and close very quickly every few minutes? (answer, answer)

#11 What is the parent process for these 2 processes?

#12 What is the first operation for the first of the 2 processes?

#13 Inspect the properties for the 1st occurrence of this process. In the Event tab what are the 4 pieces of information displayed? (answer, answer, answer, answer)

#14 Inspect the disk operations, what is the name of the unusual process?

#15 Run Loki. Inspect the output. What is the name of the module after Init?

#16 Regarding the 2nd warning, what is the name of the eventFilter?

#17 For the 4th warning, what is the class name?

#18 What binary alert has the following 4d5a90000300000004000000ffff0000b8000000 as FIRST_BYTES?

#19 According to the results, what is the description listed for reason 1?

#20 Which binary alert is marked as APT Cloaked?

#21 What are the matches? (str1, str2)

#22 Which binary alert is associated with somethingwindows.dmp found in C:\TMP?

#23 Which binary is encrypted that is similar to a trojan?

#24 There is a binary that can masquerade itself as a legitimate core Windows process/image. What is the full path of this binary?

#25 What is the full path location for the legitimate version?

#26 What is the description listed for reason 1?

#27 There is a file in the same folder location that is labeled as a hacktool. What is the name of the file?

#28 What is the name of the Yara Rule MATCH?

#29 Which binary didn't show in the Loki results?

#30 Complete the yar rule file located within the Tools folder on the Desktop. What are 3 strings to complete the rule in order to detect the binary Loki didn't hit on? (answer, answer, answer)