Basically, we just need to find the difference in the two registry files in the zip folder. The easiest way to do this is with the built-in linux tool `diff`.

We see `SCRNSAVE.EXE"="C:\\Users\\Daniel\\Desktop\\shell.exe`, which looks sketchy. In Microsoft [docs](https://docs.microsoft.com/en-us/windows/win32/devnotes/scrnsave-exe), we see that this registry key "specifies the name of the screen saver executable file". Given that this executable is named "shell.exe", we can infer this is the method of persistence used by the hacker.

Now you just have to google `MITRE Screensaver Persistence` and you'll get `T1546.002`.

Original writeup (https://github.com/NihilistPenguin/PatriotCTF2022-Writeups/blob/main/Forensics/B%C3%A9zier.md).