MQCyberSec

MQCyberSec Logo

MQCyberSec
Back to Writeups

Keeping on Schedule

by sealldev
🚩 CTFs DawgCTF 2025 forensics
Suggested: #cyberchef
Keeping on Schedule / DawgCTF 2025
Keeping on Schedule

Description

One of our computers on the company network had some malware on it. We think we cleared of the main payload however it came back. Can you check for any signs of persistence? We are able to provide you a copy of the registry, the sooner the better!

For any registry related challenges, make sure to not overwrite you machines used registry as it is a sensitive system.

For this challenge we are given a zip file with some registry hives.

We can parse these using RegCool: regoolloaded.png

RegCool also has a fast search function, I do a search for ‘Dawg’. We get a match at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A31AA14-DFE0-4B02-96F9-6CB9BD69A3F9}.

We can decode the hex content with CyberChef and find the flag. flag.png

Flag: DawgCTF{Fun_W1th_T4sks}

Related Writeups

Chunked Integrity

This is one of my favorite images! Unfortunately something has gone wrong and I cant see the whole thing, can you help f ...

Just Packets

Here pcap. Find flag.

Stingray Sniper

My Rayhunter has only been in operation for about 3 months, yet it's alerted 4 times! The EFF warns that Rayhunter packe ...

Share this writeup

Contribute

Found an issue or want to improve this writeup?

Edit on GitHub