As I showed a colleague, it’s easy to analyze a file encoded with certutil using my base64dump.py tool:
Just use option -w to ignore all whitespace, and base64dump.py will detect and decode the base64 string.
As can be seen in the screenshot, it’s a file starting with MZ: probably a PE file.
We can confirm this with my YARA rule to detect PE files:
Or use pecheck.py:
Didier Stevens 