Tags: forensic 

Rating:

Challenge : Artifact (Easy)

Solution:

1. The attached file is named “execution”.
2. The file type is identified as: MS Windows Registry File
3. After searching online and reviewing writeups, I discovered that one way to analyze this registry file is by using the "RegRipper tool" to extract the necessary information.
4. I searched all the .exe files and caught my attention for "Deadpotato" name which is a Windows Privilege Escalation utility, part of the well-known “Potato” family of exploits. These exploits are famous for their sophisticated methods of escalating privileges on Windows systems.
5. After aligning the information with the required flag format, the challenge was solved!

**Flag:** BHFlagY{DeadPotato-NET4.exe_09/08/2024_22:42:13}