# More_eggs, Anyone? Threat Actor ITG08 Strikes Again

**[securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again](https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/)**

[IBM X-Force Incident Response and Intelligence Services (IRIS) responds to security incidents](https://www.ibm.com/security/services/ibm-x-force-incident-response-and-intelligence)
across the globe. During a recent incident response investigation, our team identified new attacks
[by the financially motivated attack group ITG08, also known as FIN6.](https://attack.mitre.org/groups/G0037/)

ITG08 is an organized cybercrime gang that has been active since 2015, mostly targeting pointof-sale (POS) machines in brick-and-mortar retailers and companies in the hospitality sector in
the U.S. and Europe. More recently, the group has been observed targeting e-commerce
environments by injecting malicious code into online checkout pages of compromised websites —
a technique known as online skimming — thereby stealing payment card data transmitted to the
vendor by unsuspecting customers.

Based on our investigation and analysis of its adversarial tactics, techniques and procedures
(TTPs), we believe ITG08 is actively attacking multinational organizations, targeting specific
employees with spear phishing emails advertising fake job advertisements and repeatedly
[deploying the More_eggs JScript backdoor malware (aka Terra Loader, SpicyOmelette). This tool,](https://attack.mitre.org/software/S0284/)
a TTP observed in ITG08 attacks since 2018, is sold on the dark web by an underground
malware-as-a-service (MaaS) provider. Attackers use it to create, expand and cement their
foothold in compromised environments. Past campaigns by ITG08 using the More_eggs backdoor
[were last reported in February 2019.](https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf)

In the campaign we investigated, the attackers employed additional TTPs historically associated
with ITG08, including the use of Windows Management Instrumentation (WMI) to automate the
remote execution of PowerShell scripts, PowerShell commands with base64 encoding, and
[Metasploit and PowerShell to move laterally and deploy malware. Lastly, the attackers used](https://www.metasploit.com/)
Comodo code-signing certificates several times during the course of the campaign. Many of the
above TTPs are not unique to ITG08, but collectively, and with the use of More_eggs, strengthen
the link to this group.


-----

Let s take a closer look at ITG08 s TTPs that are relevant to the campaign we investigated,
starting with its spear phishing and intrusion tactics and covering information on its use of the
[More_eggs backdoor. Please note that Visa has attributed the use of this backdoor to FIN6 in](https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf)
attacks that took place in 2018. Further linking the activity with the same threat actor, several of
the network indicators and TTPs we encountered in this case — including the use of fake job
advertisements as a lure in spear phishing — overlap with those reported earlier in 2019 by both
[Visa and Proofpoint researchers.](https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers)

## Analysis of the Intrusion

ITG08’s TTPs in compromising targeted organizations follow the typical framework for APT
attacks. The following sections go over the steps taken by the attackers to gain an initial foothold
and persist on the victimized organization’s networks.

### Initial Compromise

To gain access to victim environments, the threat actor began by targeting handpicked employees
using LinkedIn messaging and email, advertising fake jobs to lure recipients into checking into the
supposed offers. In one case, we uncovered evidence indicating that the attacker had established
communication with a victim via email and convinced them to click on a Google Drive URL
purporting to contain an attractive job advert. Once clicked, the URL displayed the message,
“Online preview is not available,” then presented a second URL leading to a compromised or
rogue domain, where the victim could download the payload under the guise of a job description:

_Figure 1: Link provided in spear phishing email to an employee_

That URL, in turn, downloaded a ZIP file containing a malicious Windows Script File (WSF) that
initiated the infection routine of the More_eggs backdoor:


-----

_Figure 2: Final landing page that downloads a malicious file_

Based on file system artifacts examined during our investigation, the ZIP file and WSF files were
deleted upon a successful malware infection, likely in an attempt to prevent researchers from
recovering the original files from the filesystem. The filesystem, however, contained evidence of a
nonmalicious decoy document dropped to the disk drive during the spear phishing attacks.

### Gaining a Foothold

The spear phishing attacks unfortunately led to initial compromise and the installation of the
More_eggs JScript backdoor, which established a reverse shell connection to the attacker’s
command-and-control (C&C) infrastructure. Additional capabilities of the More_eggs malware
include the download and execution of files and scripts and running commands using cmd.exe.

X-Force IRIS determined that the More_eggs backdoor later downloaded additional files,
including a signed binary shellcode loader and a signed Dynamic Link Library (DLL), as described
below, to create a reverse shell and connect to a remote host. The shellcode loader was
observed on one infected device as updater.exe with the Metasploit-style service name
_APTYnDS1ABEuUHEA, indicating that it was installed as a service._

### Reconnaissance, Lateral Movement and Privilege Escalation

Once the attackers established a foothold on the network, they employed WMI and PowerShell
techniques to perform network reconnaissance and move laterally within the environment. This
type of method, called living off the land, can often blend with legitimate system administration
activities, which can make it challenging for security controls to detect.

The attackers used this technique to remotely install a Metasploit reverse TCP stager on select
[systems, subsequently spawning a Meterpreter session and Mimikatz. Meterpreter is a payload](https://www.csoonline.com/article/3353416/what-is-mimikatz-and-how-to-defend-against-this-password-stealing-tool.html)
component in the Metasploit Framework that uses in-memory DLL injection, which can lead to a

i b l li i d / d Mi ik t i t l it ti t l


-----

Once the Metasploit reverse TCP stager executed, it downloaded and loaded a second stage
Meterpreter DLL into memory, allowing the attacker to spawn a Meterpreter session via a handler
and initiate the loading of extensions, such as Mimikatz. In addition to the More_eggs malware,
the attacker leveraged in-memory attacks by injecting malicious code, in this case Mimikatz, into
legitimate system processes.

### Establishing Persistence

To cement their foothold and add persistence throughout the compromised environment, X-Force
IRIS uncovered evidence that the attacker had selected several additional devices on which to
install the More_eggs backdoor, creating redundancy in ways to get back into the network. ITG08
remotely connected to these devices using PowerShell and WMI and downloaded and executed a
DLL file, subsequently installing More_eggs on the device without dropping the nonmalicious
decoy document.

## More_eggs: Malware Analysis

### ITG08 Leveraging a Malware-as-a-Service Provider

A recently rising attack tool in ITG08 campaigns has been the More_eggs JScript backdoor. But
while it was recently identified with ITG08 activity, the More_eggs backdoor is apparently
[developed and sold through an underground MaaS provider. This vendor not only supplies the](https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648)
backdoor malware, but also offers related technical services, such as preparing the network
infrastructure to download More_eggs-related files and furnishing resources for C&C purposes.

In addition to More_eggs, the same underground vendor is also responsible for producing the
signed DLL described below, which creates a reverse shell (ReverseShell Executable). We based
this assessment on code similarities between the DLL and other samples created by the same
vendor, including the DLL that drops the More_eggs backdoor.


-----

_Figure 3: Network indicators revealing the use of an underground MaaS vendor selling_
_More_eggs and malicious infrastructure services_

### The More_eggs Dropper DLL

After a successful phishing attack in which users have opened emails and browsed to malicious
links, ITG08 attackers install the More_eggs JScript backdoor on user devices alongside several
other malware components.

The process begins with the consistent execution of a malicious DLL using the legitimate
_regsvr32.exe Windows Utility. Once executed, the DLL is deleted from the system and its_
components are dropped to the system.

Before being deleted, the DLL executes a string decoding routine that is designed to execute for
about a minute, spiking central processing unit (CPU) usage for the regsvr32.exe process. Once
the strings are decoded, the More_eggs components are decrypted, dropped to the system
(normally in the %APPDATA%\Microsoft\ or %ProgramData%\Microsoft\ directories) and
executed.


-----

_Figure 4: Sample encoded and decoded strings_

### More_eggs Components

The More_eggs dropper DLL creates the following components on the infected device (further
detail on each component in the chart follows in the next section):

**Sample File Name** **Description**

5795C3AC7F57F.txt An XSL stylesheet file that contains an obfuscated More_eggs
JScript loader.

625222E09B6CD028459.txt Benign XML document occasionally used as a parameter when exe‐
cuting the msxsl.exe utility.

27603.docx Benign Word Document decoy. The Decoy was not always dropped
in the executions of the DLLs analyzed.

A70613FF7F5DE98.txt Obfuscated script file that executes msxsl.exe with the appropriate
parameters as arguments. Once the script executes, the More_eggs
JScript is loaded into the memory space of msxsl.exe.

msxsl.exe Benign Microsoft Command Line Transformation Utility known to be
used to execute malicious code and bypass application whitelisting.

_Figure 5: Components created by DLL_

_msxsl.exe is executed by the script file A70613FF7F5DE98.txt, which is obfuscated as shown_
below:

_Figure 6: Obfuscated script file A70613FF7F5DE98.txt_

The use of msxsl.exe is a known tactic to execute malicious code and bypass application
whitelisting. The deobfuscated command is built as follows:

_“C:\Users\<username>\AppData\Roaming\Microsoft\msxsl.exe” “C:\Users\_


-----

Once the above command is executed, the More_eggs JScript loader 5795C3AC7F57F.txt will
deobfuscate the embedded More_eggs JScript. A sample loader is shown below.

The start of the XSL file:

_Figure 7: JScript loader sample_

The end of the XSL file:

_Figure 8: JScript loader sample_

The “select” value within the template tag points to the function in the msxsl:script tag, which will
execute when the msxsl.exe command is run. The JScript loader file is highly obfuscated and
decodes the More_eggs backdoor in a variety of ways, including RC4 decryption.

### Analyzing the More_eggs JScript Backdoor

The analysis in this section details the functionality of More_eggs backdoor samples specific to
this investigation, so please bear in mind that the same malware can be deployed differently in
other campaigns and by alternate attackers.

The core functionality of the samples analyzed in this campaign remained the same as described
by previous researchers. We aimed to add additional detail about the inner workings of the
malware, including its C&C communications flow, its filesystem activity, and some encryption and
encoding schemes used by the samples we analyzed.

The More_eggs backdoor is executed entirely in memory, never touching the filesystem in an
unencrypted state. Notable configuration data is hardcoded and includes its C&C server address,
malware version number and an Rkey value, which is believed to identify campaign perpetrators
to the vendor:

The Rkey value is appended with a two-byte, pseudorandomly generated string used to
construct an RC4 key.
The Rkey variable is part of the ciphering key used to encrypt C&C communications.
The RC4 key is then used to encrypt data, which is additionally basE91 encoded and sent


-----

Upon initial execution, the backdoor checks its environment to determine whether it is running
with administrative or user privileges, and if proper components are present on the system. To
check the user’s privilege level on the newly infected device, it attempts to read the registry key
_HKEY_USERS\S-1-5-19\Environment\TEMP; a successful read means it is running with_
administrative privileges, and the backdoor builds the path %ProgramData%\Microsoft. If it is not
running with administrative privileges, the path %AppData%\Microsoft is used.

The More_eggs backdoor obtains the username and computer name of the infected device, and if
running with privileges, it reads the following registry key:
_HKEY_LOCAL_MACHINE\Software\Microsoft\Notepad\<computername>. If not running with_
privileges, it reads the key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\
_<username> instead._

The data in these Windows registry keys is expected to be a comma-separated list of files with no
extension. The .txt extension is appended to the name by the backdoor. If these files exist along
with msxsl.exe in the proper location, either %ProgramData%\Microsoft or %AppData%\Microsoft,
the malware’s execution continues.

Once the environment is checked, the backdoor will check for network connectivity by sending an
HTTP GET request to hxxp://www.w3[.]org/1999/XSL/Format, ensuring the response is “This is
another XSL namespace\n.”

_GET /1999/XSL/Format HTTP/1.1_
_Accept: */*_
_Accept-Language: en-us_
_UA-CPU: [CPU version]_
_Accept-Encoding: gzip, deflate_
_User-Agent: [User agent string here]_
_Host: www.w3.org_
_Connection: Keep-Alive,_

_Figure 9: HTTP GET request_

If the connection is successful, the backdoor builds a string formatted with “|<random-value>|”.
The random value is between 8 and 32 bytes long, RC4-encrypted, basE91 encoded, and
subsequently sent to the C&C in an HTTP POST request.

The RC4 key used is generated from the Rkey variable value:

_POST HTTP/1.1_
_Connection: Keep-Alive_
_Accept: */*_
_Accept-Language: en-us_
_User-Agent: [User agent string]_
_Content-Length: 36_
_Host:_
_6R+#9fWCy)htQSo4:H9&JSMTx|X[OEKj^gXE_

_Figure 10: HTTP POST request_

The C&C response is expected to be between 8 and 32 bytes long, nothing is done with the

Th d l t h d h k b t th b kd d th C&C


-----

_GET /avIRga9sfvjGj3HCPGlgzaBXOof3u7wq HTTP/1.1_
_Connection: Keep-Alive_
_Accept: */*_
_Accept-Language: en-us_
_User-Agent: [User agent string]_
_Host: 8.8.8.8_

_Figure 11: HTTP GET request to 8.8.8.8_

If the handshake is successful, the backdoor proceeds to collect system information from the
infected device using a series of WMIC commands.

_“%comspec% /c wmic path win32_Operatingsystem get SerialNumber /FORMAT:Textvaluelist | find‐_
_str /R /C:\”SerialNumber=\” >_
_\”C:\\Users\\mal_re\\AppData\\Local\\Temp\\12025.txt\” & vol %HOMEDRIVE% >_
_\”C:\\Users\\mal_re\\AppData\\Local\\Temp\\50573.txt\” & wmic csproduct get Name_
_/FORMAT:Textvaluelist | findstr /R /C:\”Name=\” >_
_\”C:\\Users\\mal_re\\AppData\\Local\\Temp\\58678.txt\” & tasklist /FO CSV /NH >_
_\”C:\\Users\\mal_re\\AppData\\Local\\Temp\\39054.txt\” & ver >_
_\”C:\\Users\\mal_re\\AppData\\Local\\Temp\\28535.txt\” & wmic os get ProductType_
_/FORMAT:Textvaluelist | findstr /R /C:\”ProductType=\” >_
_\”C:\\Users\\mal_re\\AppData\\Local\\Temp\\4140.txt\” & ipconfig | findstr /R /C:\”IPv4 Address\” >_
_\”C:\\Users\\mal_re\\AppData\\Local\\Temp\\65390.txt\””_

_Figure 12: System information collection_

The infected device’s system information is written to several %Temp%\<random-filenames>.txt
files. The contents of the files are read and then the files themselves are deleted.

The More_eggs backdoor accepts the following commands from its remote operator:

**Command** **Description**

d&exec Download and execute an executable (.exe or .dll).

more_eggs Delete the current More_eggs and replace it.

Gtfo Uninstall activity.

more_onion Execute a script.

via_c Run a command using “cmd.exe /C”.

_Figure 13: More_eggs commands_

### Meterpreter Reverse TCP Stagers

Beyond using More_eggs as a backdoor, the attackers in this campaign also used offensive

|Command|Description|
|---|---|
|d&exec|Download and execute an executable (.exe or .dll).|
|more_eggs|Delete the current More_eggs and replace it.|
|Gtfo|Uninstall activity.|
|more_onion|Execute a script.|
|via_c|Run a command using “cmd.exe /C”.|


-----

The PowerShell scripts analyzed during our investigation contained Metasploit Reverse TCP
stagers. These stagers were used to execute shellcode that connected back to an attacker’s
server and injected Meterpreter components, such as Mimikatz, into the memory space of
legitimate processes. After injecting Meterpreter into memory, the attacker had complete control
of the infected device.

The reverse TCP PowerShell stagers functioned as follows:

1. The reverse TCP PowerShell stagers were obfuscated with base64 encoding and GZip

compression. This encoding scheme is standard for Meterpreter PowerShell stagers. The
original command contained a base64-encoded loader script.
2. The loader script base64 decodes, Gzip decompresses and executes a Metasploit

PowerShell reflection payload in memory.
3. The reflection payload base64 decodes a Meterpreter reverse TCP shellcode, injects it into

memory using .NET reflection methods and executes the decoded shellcode.
4. The shellcode connects back to the attacker’s server. Meterpreter components, such as the

core module and metsvr.dll, and extensions, such as Mimikatz, are injected into the
memory space of a legitimate process.

_Figure 14: Original command_

_Figure 15: Decoded loader_

_Figure 16: Decoded reflection payload_

### Metasploit Shellcode Loader

As our analysis continued, X-Force IRIS found a UPX-packed Metasploit shellcode loader
(49340.txt) during the forensic investigation of compromised devices. This loader attempted to
masquerade as the Apache Bench application and notably contained metadata and project paths
(.PDB), indicating that it may be attempting to masquerade as other applications as well, a rather
typical behavior for malicious binaries.

The shellcode was loaded into memory and designed to receive an RC4-encrypted buffer, which
was decrypted and executed in memory. The sample also contained a Comodo code-signing
certificate issued to “MAHTEM LTD,” which we believe is one of a number of fake companies
established to purchase the certificates.

The sample we analyzed further contained five binary entries in a resource named “REGISTRY”
— 35, 224, 409, 3908 and 4994 — each containing some obfuscated shellcode.

Once loaded into memory, the shellcode connected back to a remote host, receiving 4 bytes in
return. Those were XORed with the string 0xad350bdd and had 0x100 added to it. This value was
then used as the size specification for the next received buffer, which was RC4-decrypted with the
resulting 16-byte key and executed in memory.

### A ReverseShell Executable

Yet another tool in the attackers’ arsenal for this campaign was a DLL backdoor executable that
X-Force IRIS found during the investigation When executed via its DllRegisterServer export


-----

## ITG08 Attacks Organizations for Financial Gain

ITG08 has been around for over four years now. Its attacks are financially motivated,
sophisticated and persistent. The group historically has specialized in stealing payment card data
from POS machines and has more recently expanded operations to target card-not-present data
from online transactions. To follow information about ITG08 as it emerges, please join us on XForce Exchange.

## Mitigation Tips

Effective network defense and threat intelligence rely on multiple factors, such as knowing the
network’s attack surface, understanding the threat actor’s motivations and TTPs, and the skill and
knowledge of the security team that enable it to identify malicious behavior.

IBM X-Force IRIS has gained insight into ITG08’s intrusion methods, ability to navigate laterally,
use of custom and open-source tools, and typical persistence mechanisms. Our team has
provided the following mitigation tips for defenders who are looking out for attacks by this group.

### Educate Users About Email

X-Force IRIS determined that the ITG08 compromise was the result of a phishing email in which
the initial compromise was made possible by a victim who clicked on a malicious attachment.
Role-based security awareness training should be at the top of the list of any organization’s
mitigation strategies to help employees recognize phishing emails and possible malicious
attachments, and to educate them about their security responsibilities with regards to reporting
potentially malicious emails.

### Search for Known IoCs

After the phishing email resulted in a successful infiltration, ITG08 used the More_eggs backdoor
to gain a foothold and infect additional devices. More_eggs-related artifacts such as the DLL
dropper have extremely low antivirus (AV) detection rates, based on analysis conducted via
VirusTotal (VT). For example, a More_eggs DLL dropper submitted to VT on April 18, 2019 had a
detection rate of only 5 percent.

To detect this malware, critical events should be analyzed based on the attacker’s patterns.
SYSMON or an endpoint detection and response tool should be configured to detect the
combined use of msxsl.exe and WMI. In addition, Registry keys and scheduled tasks should be
analyzed for indications of persistence. The network should also be scrutinized for any privilege
escalation events and any signs of internal reconnaissance. YARA signatures should also be
created to assist security personnel in detecting the More_eggs malware. YARA signatures for XForce IRIS premium subscribers can be provided on request.

### Analyze Logs

Other mitigation strategies against this type of activity include analyzing host-based firewall logs
for internal pivoting, unauthorized listening executables and scanning activity. In addition,
configuring PowerShell script logging and identifying any obfuscation will assist in mitigating


-----

### Monitor for Remote Services

X-Force IRIS also recommends taking steps to prevent lateral movement. Although lateral
movement can be difficult to detect, a spike in usage of Windows tools, such as remote
administration services (PowerShell Remoting and WMI), should be monitored. Detection and
monitoring capabilities should be in place and network defenders should be familiar with what is
considered a “normal” baseline on their user network. Without a baseline of “normal” activity, the
use of Windows tools may blend in with legitimate activity, which can allow attackers to continue
to live off the land unnoticed.

### Rethink Network Architecture

Security defenders should examine network architecture to see how the network is segregated,
what Windows tools are restricted or used by administrators, and what alerts are set up to warrant
personnel review. Least privilege principals should be implemented for all users on the network,
and a strong password management system with two-factor authentication and password
expiration dates should be deployed as an additional layer of security.

### Pen Test!

Organizations looking to limit the ways by which attackers can infiltrate their networks should be
mindful of ongoing patching of vulnerabilities. After reaching maturity on the vulnerability
[assessment front, mitigation strategies should also include penetration testing to find unknown](https://www.ibm.com/security/services/offensive-security-services)
vulnerabilities related to people, software and hardware used on the organization’s critical assets
and externally facing resources.

### Incident Response

[Nowadays, no organization can be exempt from planning and drilling incident response plans in](https://securityintelligence.com/articles/how-to-create-an-effective-incident-response-plan/)
the face of potential security incidents. Conducting tabletop exercises and regularly drilling plans
can help organizations proactively prepare and take control of an incident if ever one should
occur.

[For additional resources and information, please check out X-Force IRIS. If you believe your](https://www.ibm.com/security/services/ibm-x-force-incident-response-and-intelligence)
organization may be under attack, please call the X-Force Emergency Response Hotline at 888241-9812.

## Appendix A: IoCs

**More_eggs C&C domains:**

api[.]cloudservers[.]kz
mail[.]rediffmail[.]kz
secure[.]cloudserv[.]ink
metric[.]onlinefonts[.]kz
news[.]bradpitt[.]kz

**Landing page domains (downloads files):**


-----

**Meterpreter C&C IP addresses:**

185[.]162[.]128[.]70*.
185[.]243[.]115[.]50
192[.]99[.]20[.]90
192[.]187[.]103[.]42
37[.]1[.]221[.]212.

_*Also the C&C IP address for the Metasploit Shellcode Loader._

**ReverseShell executable (DLL) C&C IP address:**

185[.]204[.]2[.]182

**File hashes:**

**Description** **SHA256**

5795C3AC7F57F.txt b3537701e054823836da9c532560d30f01e38e549f‐
b813206afd699ecde8a97c

A70613FF7F5DE98.txt 28497c50d65c9f1d0233fc193a43014497fadddb1af8e7f5dbc6eef‐
b3d4ede02

625222E09B6CD028459.txt 80716c2a49739850d8ccd1c035ea4bcc2‐
da39527693c71b800c99ed2ea2c430f

More_eggs backdoor 37831e465728a913a‐
cab317b65c4474b8e6a4570e78c39c8b8c9b956e5d6db25

Metasploit Shellcode d9a245f1fb502606c226c364aa1090f25916e68f5ff24e‐
Loader f75be87ad6a2e6dcc9

ReverseShell Executable 78a87d540c1758c6b4dcabb7b825ea3a186ef61e7439045e‐
ce3ce3205c7e85a2

[Ole Villadsen](https://securityintelligence.com/author/ole-villadsen/)
Cyber Threat Hunt Analyst, IBM Security

Ole Villadsen is an analyst on the Threat Hunt & Discovery Team within IBM X-Force Incident
Response and Intelligence Services (IRIS), where he investiga...
[read more](https://securityintelligence.com/author/ole-villadsen/)

|Description|SHA256|
|---|---|
|5795C3AC7F57F.txt|b3537701e054823836da9c532560d30f01e38e549f‐ b813206afd699ecde8a97c|
|A70613FF7F5DE98.txt|28497c50d65c9f1d0233fc193a43014497fadddb1af8e7f5dbc6eef‐ b3d4ede02|
|625222E09B6CD028459.txt|80716c2a49739850d8ccd1c035ea4bcc2‐ da39527693c71b800c99ed2ea2c430f|
|More_eggs backdoor|37831e465728a913a‐ cab317b65c4474b8e6a4570e78c39c8b8c9b956e5d6db25|
|Metasploit Shellcode Loader|d9a245f1fb502606c226c364aa1090f25916e68f5ff24e‐ f75be87ad6a2e6dcc9|
|ReverseShell Executable|78a87d540c1758c6b4dcabb7b825ea3a186ef61e7439045e‐ ce3ce3205c7e85a2|


-----