Wimdows 2 - author: deltabluejay - forensics

WriteUp: Eliot, Rubisk and tinderbox.

For this step, we start by opening the event viewer, and in particular the powershell logs. We then find some with base64 encoded commands, and finally found this one

After decoding the base64, we get the flag.