I dump the powershell process, but i’m having trouble searching through it with strings. I also attempted to go to https://technical.nttsecurity.com/post/102egyy/hunting-malware-with-memory-analysis but the post is no longer available
Too much rabbit holes… Can’t believe I have went so far just basing on a simple hex editor 
i can’t get the resume.zip from http://10.10.99.55:8080/resume.zip … the server seem to be down
Great challenge. Learned something ;_;
PM for nudges
Wow. Ok this is harder than I thought. Any help is much appriciated as I would love to solve this one! I see the .LNK file, I tried pulling it from memory with no luck. I see some weird network connections made from powershell.exe and another process with wierd characters and a PID of 1. Please anyone assist!
Great challenge again, nice way to get introduced to memory analysis.
@antmar904 : If you know that PS.exe is running … Then …
Pull the right thing from memory, maybe go through the list of plugins of the tool you’re using. Something will stand out
Hi,
I got the lnk file (extracted it from a vacb-file).
I also got the instuctions about how to convert the file from base64 to unicode.
But for me it is not clear on which file I should apply this. It says $f = the file name. Is this the file on which I should apply the code?
In the lower part of the file I found a long string that ends with =.I’ve been trying with cyberchef to convert this from base64 to get the flag but until now no luck.
Can anybody give me a hint?
jesus really overthought the whole thing and wasted way too much time trying to make a gui i found for a tool i was attempting to use because i was overwhelmed by the terminal but after giving up 5 times and coming back just said f it let’s try to use it and got it within 5 mins.