Tags: vbs vbscript pcap forensics 

Rating: 0

tl;dr:
1. Follow emails in the pcap
2. Extract 3 stages of VBScript from the pcap data
3. Decrypt the flag

Full writeup: https://github.com/p4-team/ctf/tree/master/2019-09-07-trendmicro-quals/combo_100