Other Program Execution Artefacts

There are several locations on a computer with Windows 10 installed that contain aretafcts indicating a previous process execution. An example of of one of these locations is detailed below:

UserAssit

This aretfact is a registry key that relates to the execution of GUI programs launched via the Desktop. The key location is:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count

An example of this registry key is detailed below:

Note the 2 Count GUIDs highlighted above. These GUIDs relate to:

• CEBFF5CD Executable File Executed
• F4E57C4B Shortcut File Executed

It can be seen that the content of the keys do not appear to make any sense. This is because the characters are ROT13 encoded. This encoding is a simple caesar substitution cipher. Let’s use Cyber Chef to decode the first highlighted entry ‘abgrcnq.rkr’:

It can be seen that that each character will be rotated 13 times (to the left). The file ‘abgrcnq.rkr’ is then decoded to ‘notepad.exe’.

How cool is Cyber Chef?

Additional information…

Remember any data that is encoded can still be processed by a computer providing the encoding scheme is known. Encrypted data however, cannot be processed without a key.

The following are examples of publicly available encoding schemes in use today:

• HTML Encoding

• URL Encoding

• Unicode Encoding

• Base64 Encoding

• Hex Encoding