{
	"id": "b11de27b-7e5d-49a0-afc1-963d5ff6bffe",
	"created_at": "2026-04-06T00:07:30.781254Z",
	"updated_at": "2026-04-10T03:22:50.159917Z",
	"deleted_at": null,
	"sha1_hash": "366a9e4a628c45618f0766d75351b31da7c0180e",
	"title": "RATs and stealers rush through “Heaven’s Gate” with new loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3521638,
	"plain_text": "RATs and stealers rush through “Heaven’s Gate” with new loader\r\nBy Holger Unterbrink\r\nPublished: 2019-07-01 · Archived: 2026-04-05 15:04:28 UTC\r\nMonday, July 1, 2019 11:20\r\nBy Holger Unterbrink and Edmund Brumaghin.\r\nExecutive summary\r\nMalware is constantly finding new ways to avoid detection. This doesn't mean that some will never be detected,\r\nbut it does allow adversaries to increase the period of time between initial release and detection. Flying under the\r\nradar for just a few days is enough to infect sufficient machines to earn a decent amount of revenue for an attack.\r\nCisco Talos recently discovered a new campaign delivering the HawkEye Reborn keylogger and other malware\r\nthat proves attackers are constantly creating new ways to avoid antivirus detection. In this campaign, the attackers\r\nbuilt a complex loader to ensure antivirus systems to not detect the payload malware. Among these features is the\r\ninfamous \"Heaven's Gate\" technique — a trick that allows 32-bit malware running on 64-bit systems to hide API\r\ncalls by switching to a 64-bit environment. In this blog, we will show how to analyze this loader quickly, and\r\nprovide an overview of how these attackers deliver the well-known HawkEye Reborn malware. During our\r\nanalysis, we also discovered several notable malware families, including Remcos and various cryptocurrency\r\nmining trojans, leveraging the same loader in an attempt to evade detection and impede analysis.\r\nTechnical overview\r\nFirst, let's go through a high-level overview of the loader that's used to hide and execute HawkEye Reborn. The\r\n\"technical details\" section will describe these stages in detail. Even if the final malware is packed and coming with\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 1 of 28\n\nits own obfuscation, it is never written to the disk. It's always hidden inside the loader, so it's difficult for antivirus\r\nsystems to detect it.\r\n1. Find and resolve some basic API calls by CRC32.\r\n2. Decode encoded code from the .data section.\r\n3. Jump to this code.\r\n4. Perform some anti-debug/anti-analysis checks.\r\n5. Load two resources (in this case, UDXCUSCK and SCCJZ) from the loader's PE file.\r\n6. Decode the configuration stored in the UDXCUSCK resource.\r\n7. Copy loader to %APPDATA% folder and make it persistent via StartUp link.\r\n8. Decode the malware payload (in this case HawkEye) stored in SCCJZ resource.\r\n9. Start the legitimate RegAsm.exe process.\r\n10. Inject and execute malware payload (HawkEye) into this process via process-hollowing.\r\n11. Protect injected malware code.\r\n12. Exit loader process.\r\nThe majority of API calls are executed by a function we called \"Exec_Function\":\r\nThis function takes a custom hash value for the wanted API call as one of its arguments.\r\nIt finds the kernel.dll address via its CRC32 checksum.\r\nThen, it resolves the addresses of basic API calls by name by iterating over the\r\n InMemoryOrderModuleList in the PEB_LDR_DATA structure.\r\nNext, it resolves the address of the wanted API call by using a custom hash\r\n     function.\r\nFinally, it uses CallWindowProcW to execute the resolved API call.\r\nBesides the aforementioned obfuscation techniques, some API calls are additionally obfuscated by using direct\r\nsyscalls via the sysenter instruction on 32-bit systems and the Heaven's Gate technique on x64 systems. The latter\r\nmeans the code switches between 32- and 64-bit systems. Some antivirus applications and debuggers are missing\r\nthese calls as far as they are not expecting a 32-bit application running under the Microsoft WOW64 technology\r\non a 64-bit system to use 64-bit calls directly.\r\nTechnical details\r\nThe sample starts with some interesting calls to sub_401000.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 2 of 28\n\n_main - Function\r\nThis function is iterating through the function list names in the export table of the PE header in memory. Then, it\r\ngenerates the CRC32 checksum for the function name string and compares it with the given argument arg_4 (see\r\n1881CADEh above). Finally, it returns the address for the exported API function. We renamed this function\r\n\"Find_API_Function_by_CRC32.\"\r\nSub_401000 (Find_API_Function_by_CRC32) function.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 3 of 28\n\nThe returned API function address is then stored in a register or local variable, which is called when the sample\r\nneeds the API function. The sample is using this and similar API call obfuscations for most of its API calls. This\r\nmakes it more difficult to understand what the sample is actually doing during static analysis. The bad news is,\r\nthis is the simplest one of the obfuscation techniques the sample is using.  \r\nAfter some initialization and decoding of the data at 415DB0 (upper right part of the picture below), the next\r\nnotable call is 'call eax,' which calls the formerly decoded code at 415DB0 (see below).\r\nBeginning of the second stage.\r\nThe function arguments aUdtizdmfiv and aSccjz are pointing to the names of two resource sections in the PE\r\nheader of the sample file and DTIZDMFIV is their resource type. This makes it even more interesting. So let's\r\nlook into this function. Unfortunately, we can't in our static analysis, because the data is encoded and then decoded\r\nat runtime.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 4 of 28\n\nEncoded next stage of the dropper.\r\nWe wrote an IDA Python script which decodes this data for us.\r\naddr = 0x415db0\r\nend = 0x5A05\r\nmagicval = [ 0x34, 0x39, 0x38, 0x37 ]\r\nfor j in range(0, end):\r\n   a = idc.GetManyBytes(addr+j, 1)\r\n   b = int(a.encode(\"hex\"),16)\r\n   b ^= magicval[j % 4]\r\n   patch_byte(addr+j, b)\r\nThe script decodes the bytes and allows us to convert it into code.\r\nJump to main malware function.\r\nThe code at 415DB0 is actually a jump to the start of the main malware function at 415DF5.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 5 of 28\n\nString obfuscation.\r\nThe sample stores all characters of its strings, such as \"kernel32.dll\" in local variables (see above). It does this in\r\nmany other locations, too. The next call at 416C74 is also worth breaking down.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 6 of 28\n\nCall to sub_41B285 (Exec_Function).\r\nFollowing the call into the function, we see another call at the beginning (41B28B).\r\nCall to sub_41AF15 (FindKernel32DLL).\r\nAfter analysing it, we see it resolves the address of the loaded kernel32.dll. It uses a typical shellcode technique\r\nby parsing the PEB and some underlying structures. By finding the InMemoryOrderModuleList in\r\nPEB_LDR_DATA, it can iterate through all loaded module names and find kernel32.dll by comparing the\r\ngenerated checksum (6A4ABC5B).\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 7 of 28\n\nFindKernel32DLL function.\r\nNow, let's go back to the upper function, the one which has called \"FindKernel32DLL_addr.\" After storing the\r\nkernel32.dll address and initializing more local variables with some strings (not shown in the picture), the code\r\nresolves a bunch of API function addresses (ex. LoadLibrary, CallWindowsProcedure, etc.) by using the function\r\nFind_API_function_addr_by_name (see below).\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 8 of 28\n\nExec_Function find API call address.\r\nThen, it uses the given third argument (arg_8 - 7554284Ch, the custom hash of the API function) to find the\r\ncorresponding API function address. The used custom hashing function is based on the following pseudocode\r\nalgorithm:\r\ni = 112186;\r\nwhile ( *a1 )\r\n   i = (char)*a1++ + 33 * i;\r\nreturn i;\r\nFinally, it uses CallWindowProcW to execute the resolved API function (see below). The latter is also an old\r\nshellcode trick used by many exploits to execute position independent code stored in some buffer. It misuses the\r\nCallWindowProcW function and leverages the fact that CallWindowProcW is simply executing the function\r\npointer in the first argument, assuming it is either the address of a window or dialog box procedure. From an\r\nobfuscation point, this makes the static analysis more difficult and might also confuse weak antivirus products.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 9 of 28\n\nExec_Function (sub_41B285).\r\nWe can rename the sub_41B285 function \"Exec_Function.\" The picture below shows how it works. It can be used\r\nto execute most of the important Windows API calls. It is no surprise that the sample is leveraging it for most of\r\nits API calls.\r\nExec_Function parameters.\r\nAs far as \"call Exec_Function\" doesn't tell us which API function is called, we wrote another small IDA Python\r\nscript, which parses all XREFs to this function, checks arg_8 (e.g. 7554284Ch) and resolves the given hash to an\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 10 of 28\n\nAPI function call name (e.g. VirtualAlloc). Then it writes a comment to the call Exec_Function, which names the\r\nAPI function name that is going to be executed.\r\nNext, the sample executes some anti-analysis checks. This includes a function, which is checking for certain\r\nprocesses by parsing the processlist and comparing the names against a CRC32 checksum. We called it\r\n\"Scan_ProcessList_byCRC32.\" These checks are not only done at this location, they are distributed all over the\r\nsample and looking for the following names:\r\n0x388f3adb = mple.exe\r\n0xe84126b8 = sample.exe\r\n0x6b68c4c6 = avastui.exe\r\n0x923d5594 = avgui.exe\r\n0x6b68c4c6 = avastui.exe\r\n0x923d5594 = avgui.exe\r\n0x6b68c4c6 = avastui.exe\r\n0x923d5594 = avgui.exe\r\n0x958e9b43 = extsszf.exe\r\nWe haven't checked every location, but where we did, the sample kills itself if those processes are found.\r\nDebug checks.\r\nAfter the debug checks, the sample is extracting the two resources UDXCUSK and SCCJZ from the PE resource\r\nsection and stores them in two buffers for later use (see below). Then, it decodes the configuration stored in the\r\nUDXCUSK buffer. The function DecodeConfigFromResourceUDXCUSK stores pointers to the decoded data\r\nblobs on the stack. It finds them later via dword ptr ss:[ebp+eax-2C8], where eax is the offset to the different data\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 11 of 28\n\nblobs/config parameters. Later on, these parameters help to decrypt the actual final malware embedded in the\r\nSCCJZ resource.\r\nLoad resources and decode configuration.\r\nThen, makes itself persistent by copying over to \u003c%APPDATA%\u003e/kgehorzlnr/zqwlnpeijybtmkv.exe and placing a\r\nlink to the file into the Windows startup folder.\r\nCopy loader and make it persistent.\r\nCopyFilesAndCreateStartupLink is a complex function with a few sub functions. It is mostly using the\r\nobfuscation techniques that we've already seen, but it is also uses Heaven's Gate for some of the API calls, such as\r\nCloseFile.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 12 of 28\n\nLeveraging syscalls for obfuscation.\r\nIf we dig into the CloseFile_Via_syscall_SysEnter function, we see that it is checking if it is running as a 32-bit\r\nprocess on a 64-bit system under the SysWOW64 technology. Depending on this check, it either uses the 32-bit\r\nsysenter instruction or the Heaven's Gate trick to execute the API call directly via the 64-bit syscall instruction. If\r\nit is using the 64-bit world, it is getting the syscall number in a similar way to what we've seen before with the API\r\ncalls. It is parsing ntdll.dll for the hash of the function — such as NtCloseFile =  0D09C750h — and then it finds\r\nthe corresponding syscall number.\r\nWOW64 check and syscall resolution.\r\nWe can see the switch from 32-bit to 64-bit code inside of the SysCallwrapper_SwitchTox64_HeavensGate\r\nfunction. First, it pushes 33h onto the stack. Then, it performs the call $+5 trick, which means it just calls the next\r\ninstruction at 419D59, but the call instruction is also pushing the instruction pointer address to the stack (419D54).\r\nThe 'add' instruction adds five to this value. In other words, we have the values 419D5E and 33h on the stack. If\r\nthe CPU executes 'retf,' it is jumping to 419D5E and changing the CS register to 33h (far jump). The latter means\r\nswitching to 64-bit mode. You can read the details here.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 13 of 28\n\nHeaven's Gate\r\nUnfortunately, this means we need to switch to the 64-bit version of IDA for the code starting at 41D55E. In 64-\r\nbit, we can see that it is simply preparing the function arguments and then calling the syscall instruction. The\r\nsample uses this for calls listed in the disassembler comments in the picture below.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 14 of 28\n\n64-bit code — syscall execution.\r\nExecuting 64-bit calls in a 32-bit application can also cause certain antivirus products to miss these calls, thus\r\nmissing the real behavior of the application.\r\nNow we are going back to the main malware routine. Remember that the malware has already extracted the\r\nSCCJZ resource into the res_SCCJZ_buffer. It has also already decoded the configuration that includes the\r\n\"089377328364273...981972063544\" string to decode the SCCJZ resource. It is stored in\r\nebp+eax+var_2c8_config_base, where eax is 0x18 (-\u003e \"089377328364273...981972063544\").\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 15 of 28\n\nDecoding the dropped malware.\r\nThe next step is starting the legitimate RegAsm.exe process and injecting the decoded data from the resource\r\nsection via the typical process-hollowing technique. Using the same obfuscation tricks previously described, we\r\ncalled this function \"InjectIntoRegAsm\" below.\r\nInjectIntoRegAsm\r\nIn this case, the final malware injected into RegAsm.exe is our old information-stealer friend HawkEye Reborn\r\nv9, Version=9.0.1.6. As usual, it is obfuscated with ConfuserEx described in our previous research. The stolen\r\ndata is exfiltrated via the email account sartaj@jaguarline.com to the mail server mail.jaguarline.com. The\r\nHawkEye Reborn configuration decryption password is: 0cd08c62-955c-4bdb-aa2b-a33280e3ddce.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 16 of 28\n\nHawkeye password\r\nDistribution activity\r\nAfter analyzing the previously described loader, we began to analyze what malware families may be leveraging it\r\nto infect victims. The most widely observed malware family at this time is HawkEye Reborn, version 9.0.1.6.\r\nTalos already broke down this malware in a previous post. We also observed several other commodity malware\r\ndistribution campaigns leveraging the same loader to infect victims with Remcos, as well as cryptocurrency\r\nmining malware. This activity demonstrates how advanced techniques such as Heaven's Gate can be quickly\r\nintegrated across large portions of the threat landscape. In many cases, the cybercriminals leveraging these kits\r\nlack the expertise to implement this type of functionality natively, but can instead leverage available loaders to\r\nachieve the same goal.\r\nEmail distribution\r\nIn all of the malware distribution campaigns we observed, the infection process starts very consistent with what\r\nwe previously observed from threats like HawkEye Reborn, Remcos, Agent Tesla, and other commodity malware.\r\nThe attackers send emails to victims disguised as invoices, banking statements and other financial-related topics.\r\nThese emails typically contain Microsoft Excel spreadsheets or Microsoft Word documents that leverage CVE-2017-11882, a vulnerability affecting Microsoft Equation Editor. When opened by victims, these malicious\r\ndocuments function as malware downloaders, reaching out to web servers on which the attacker is hosting their\r\nmalware payload. The contents of the documents varies, but one example is below:\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 17 of 28\n\nThese campaigns are ongoing, with new binaries being hosted and new emails being sent on a regular basis.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 18 of 28\n\nBelow is a graph showing DNS resolution activity associated with one of the domains that is being used to host\r\nthe malicious PE32 executables, and is reflective of the consistent, ongoing nature of these campaigns.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 19 of 28\n\nConclusion\r\nThis campaign is the latest example of what modern malware uses to fly under the radar. With the described\r\nprocess, the actors are able to hide the original malware inside the loader. The Malware is only decrypted at\r\nruntime and injected into memory — it's never unencrypted on the hard drive. This means, if any antivirus tools\r\nscans the malware, it has no chance to identify the malware on the disk.\r\nThe adversaries in this case used sophisticated loaders that leverage several different low-level operating system\r\ntechniques to make it as hard as possible for antivirus programs to detect the malware. By using these loaders,\r\nthey can quickly and easily change the final malware or in other words the payload of the loader.  \r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 20 of 28\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of Compromise (IOCs)\r\nThe following indicators of compromise can be used to identify malicious activity associated with these malware\r\ndistribution campaigns.\r\nDomains:\r\nwww[.]kemostarlogistics[.]co[.]ke\r\nwww[.]terryhill[.]top\r\nmail[.]jaguarline[.]com\r\nIP Addresses:\r\n173.254.126[.]115\r\n164.160.128[.]110\r\nEmail:\r\nEmail: sartaj@jaguarline.com\r\nMailserver: mail.jaguarline.com\r\nLink in Windows Startup folder:\r\nL\"[InternetShortcut]\\nURL=file:///C:\\\\Users\\\\Dex Dexter\\\\AppData\\\\Roaming\\\\kgehorzlnr\\\\zqwlnpeijybtmkv.exe\"\r\nMalicious Document Hashes (SHA256):\r\ncf0a3dadba03f32d90e84401451c9acc1a1d2378d5bdae8e87fc2ab9c6ff0f12\r\ne23d16a5b770a04664dd42f8d2153ad62ce5fbf65af2a6dfd791ad70deef61b0\r\nPE32 Hashes (SHA256) analyzed:\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 21 of 28\n\n01349f0b7a30d36f2171145548602451643d670870f8863f8baeec4f76cf83a0\r\n10149bf87feb3276a7d6bfb864864c655b4e11aa2ed6d677c177353dbffdfc25\r\nc2e98978063f02f9769d8372d10abc3fe734cd7e686c6ab5dedb08dd57076b17\r\nfc31b4107bec4352fac3e1a13d91031b6b49969e21abff2301609219c43cd472\r\nSHA256 of related samples using very likely the same loader:\r\nb97d550a3d4e5bc0f5f01fb3989f30e0047a8cac56b9e6be4e46ad527c9835df\r\n53b2eead3c1b8e4652c3ec079dbf0f9cb2e1bbf51a9883b7c5c2c5414e43b54b\r\n3c1f585dd6df5cc0e0391f2924768da9fb2c9ac2f46af9a1f50325cb362728a6\r\n5839edf29a8841b66e6da0a821ea1e2be60a4c9c0765c1ab27df03c2d8b3d22a\r\nc6544c438662421fda4ebb8212526f64588081bf54e233da78a8720b9e0f5532\r\nd8977770d90fcda7b502db771ca6398ae90601ac8f2eddf1484285c2a7b4a098\r\nf067364aa4d565aba90d38afca9c21d67253b16fec8a5c36c6cfb84d6295c108\r\n2b139cdc6423fed45dfb5adfb18e3a141eeb7df9248bf2ac9be1696778851484\r\n0cfa75e3eebaff86209b51e8647ecd091308a6b0083f59e011c8a8fa21af27b6\r\n8025eaa9dad0eeecb73f95d4336dbab72d711189846c5196dba37d3846c276d8\r\n9e25b13c1f12e1e61935b763692c204ccb8427192d83b1e4c248782fc8c6af15\r\n4c03059b3a796b093a754a767b18f7945357bb410779d8cd3d447ff02e1ea88b\r\n3fffc31eb23a2838069284a3de74399601cb1b2846b5615c1032232f3c0e5c41\r\nb51afa3b4cca3020daff7a93ca38060794d5f02e7e1925db17d01e5aa8031492\r\n1a76083a711946b9a6cf9c8b14985e7ae4872784ec8e16ca3e129aa385243e57\r\n94392d43e99f605f189219c25d61051b92d3e0089d261226be49a69768fd170f\r\ne0f293cbdb97cfec3e0307783e0a1065d38745fd80035ba4c04999c2dce0ebe6\r\nd47f46adfdcc0925ebcd3d29c7ddeb8528a90bf7aa43067c9247713ee3199c45\r\nfc04f3f5f993e0743cdebfe26820f1a2ae9ab101318577ddcfaf2b5864eb7808\r\n780b1e40fc5b8a2f3d0cbd5c02455064606281fb2a24ee88633340178e021bae\r\n254af6d5f33bd179b07dff10836e86574567c5f2bdee0e8e26a90af601d16d0a\r\nd746ee2369a12c0c37acc3f3812f926e3345cf7edfd736774304e4d3c27c42ad\r\ne61a9672421d30c721ff58deb54961736bb62bbbc34dd3890edf9062370c48d4\r\nefa28604a547613b68480f7e8ac59f8d02931f5b8d4be6971ea96aff253d5d1a\r\n08c4f972f9e712adc66e7b51b4843ddc6399fdfcc64e2b8245b1eca42ff5359d\r\ne8cc0d6364caf0231c6b48d7eb44a10645b739bb5659d81e31dd5924eed29110\r\na3b39af055b7432c7098a01736877b036fd88ffadb54502ef88d517dd5715f33\r\nd0ab8fa84459da9cfcbe85fc5bfe2ac3e1613aba4272698847d49efaad110587\r\nba63feae30f438dac75134670d2f250b4a4154b7d71bbaf793a12b7a7b1227a5\r\nb3538b49f8d864f30c5f38d1358e7e44e1290193586a0ae4541e06bf8696b70a\r\nf48d377a6dd312fd8572be77793984db7c0e381243dad5f5a66f5d1444e52af7\r\n765b183479a088f6dfd2242ddd88e52c44f39f92f0d03edd44b27c22fec0ffac\r\n813ba89c3dea3342d34b35f56fb27a53c0487d9de9444090448e2904581bac9d\r\nb08521e9d4c442477c2f67ddc64faddb0ab13f95838b140f80dbe4dbe47ac7f3\r\na39ebe0acc9dfc0b22f642fd953d3f729ff976e7076fc788e8cd2be4d0b196e6\r\n79a91c943baca8578abaddc8e4d5c96d91deb60281e71118e4b1931ff58f8107\r\n87b0e89cb6cf9d14c36004996558ab6da6e0f8ca4e357674417a4296fd247bc2\r\n8090fbedfcdfc8e646ff20d1f1405b9e5b9e1223c5a6260cbccf298fdd1e2ff9\r\ncbfb44b652ca595d4125f81910e29095c679fd9ea031b31068ab85b9b5e268b1\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 22 of 28\n\n5eb0c3a8b143b7c96fa61435d8753b6ae6650054d35ad1d0ebc357424e27e472\r\nc2233de1fba765c99ca87f7d77af842344003291469a9e6333347ce73651939f\r\n22076a5556127a3f4bddfcc0ac67abf85bcf76d4fdd4df9245a8f90ce41421c7\r\n8f72b6b45672692941c78f4abc473ef4c7c93c905ccaa13090b4fa8c9ae8a94b\r\n097e633b34a4a827a2f900bad46831716b8eb1efdc3a48e122f6676786ea3b58\r\n373ef46e431d3ef483549bed093830ec544c28202bd552d54992a3d9bce6ebc5\r\n0fa49302f135ddbc06d290dcc4801f87e9249ce9f313b3ebed2e42337171a9c3\r\n358eecbf97a739a88051c3131a9957c874c86d3bc920daf1b903c7945fd7948d\r\n00d4d2851bb0b7570b20722a82b2f2d844bcda76d44042382cfe3a7be94804b7\r\n01349f0b7a30d36f2171145548602451643d670870f8863f8baeec4f76cf83a0\r\n2228980ef182ccaed184556e2f3347ea5d7877da8eeddd18969df7f0e98474db\r\n5a5ddd3a9fd0af5628754cfdb2fbcbec80d0e1c09e2e7238eac99ab7c26b850e\r\n5d70909670129df76288c83041e686b334170b1944e1393354a8a40f8386915d\r\n4a42df7490d910a91d3ad0d2b22a7386ac89e799ca91755e719d39eb9ce3105f\r\nbd65e1f2474187ec69980e3bcc237d5eb5953c413e858b57f75bbc1efab13087\r\n550778509464f5cd5e7be0b21a01fb80cff8857133cff9d65290c1dbb4b13f4b\r\nc9117b4e20a2f439c2a4a3e9fb8554f1aee832d615666021d5cf5f6a62a15109\r\ne33066539456b2b4b16ca938cea71ceea097320d8445d7a48d461b65accc4d7c\r\n8a4d4491deaea94a51586c5098055c335831b37c17f3d8449fba197dfe73a83d\r\n1191a2a9d100e235358f4b737a1bda17d27731721403d53cb4cba09979987bad\r\n0f8572fbce7270f8462acf1b3a54d249630f138dea29203f95a35a647a150f92\r\n78e7eb147b419da410064536a83e8856c50ddd42fefe2f84616d90bc5aa96c9b\r\n4dc9503ba10fcaa9d2db3e031dc7854a6f7e6815efa24baba670f1f3e3c192f0\r\n9b811b1b8d88cbb2f6ad92a7ff042c1112520bdcff7e9ce42b801de4bb241979\r\n057eba3c5e001c212b565f5136119234ebd54f2e652d9092dfb3ba32439e9770\r\nc217bd6a78e26c783b13d6ef935271758ac81115a7fd86133f8905329168ec7e\r\n26ecac734753116e6afae428ede31eda76499caa52ed76e54f094b0ab04a24af\r\n3f512ccc3610441d90a33d7aaaa72303541b57d28e7e98b46d446b99534659fc\r\n9a4680547af935cc1f5369f60e77d148de3e318ff6b2cbe63e75b8fad051d8b6\r\n20293acec1ea7c8b3c26b34e4715f8a9796315f3d5a19aeeff86f660bb62a379\r\ned01ab2b61aa9a68e7a3a0961ff9e60c3bbba7c944f1a1a7a9bf674c44c97ad2\r\nc2e98978063f02f9769d8372d10abc3fe734cd7e686c6ab5dedb08dd57076b17\r\n319d22b549bcbabce103c5d1359ac65f8e8ae49bff6287de21f3f9ef3138646d\r\nf62e27717a0a9d7c5271697a65c9052362aa7a273ab78aa981b23ffa7f37f569\r\ne3f6293b7214b9c5d51a12ca7de2ea0b82d909971abaac73143d40de6fb46168\r\na278d236c958536e57adf595d742021bf9249f18ec08d89f292a38e4adeecfa3\r\n923a10cd5a45810a4f50fd88d630835d7476183ff53e2056e7e2b71cbc488684\r\nf1fc25ceb569ee834f38061b3a0f176f58802e09b2e2987596a1ae843bf50b04\r\n2bf7904fb0720d95ddf88e68d256f63adbe228a99e65a650faaca64101afce27\r\n64aebb452f4208ae53a8dda999c4af052ad46030b536b161ceb4ab09a1d1320b\r\n4687b4ccaee1db427df6649218aec766083cf28345edfb48fb2e5efc0366f0ca\r\n37034b8e9d3889a7959aa13d99dc7ac3027d03effeb1ccdc62c39f937b303026\r\n3111c73f9faf4127711feaf94c68cb1e08918c0b3c00b7066e2336ca7a28ae81\r\n4897c42869fe16f3658f5f75cf0e8632c63ae424524afdce93947a5f03d0f804\r\nab8505cfd29a70606abe22e655741412bae9db3f18eee63f5bfa13114655d651\r\n2b4f00ad30839c2a2c37801bb86dab1ab5df209d58788f840e4dbdd00ad06d4a\r\n1e73aba842ebacff5998c303e91a7de845d74020fdf951506cd60b658dbaef2e\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 23 of 28\n\n96232a85116e9c9fd3a864586055ddd7bd762a321dbc64b3e6daa2cc650eca2d\r\nebb8a01f413b16233df797a0d5db5c4d93e91ec5dcd09f42da9a1e367584d0dd\r\n84d57f57ddb11d8d46db94d3cdfc06593902797833a98a623f267c5d2640823c\r\n6376344a3e5c38687912533c5d1535173981c10e16d448b76a9deb2e8695e62c\r\ndeb037f991f1ffa4e6e9b48d6f40834fb192c04dec3afe740a4768206255ca65\r\n9bd4ac435b07d0f7a76dfb17608b1b1027a459b10a5aa9ca5233416d2fce0448\r\n3644203a80018fd90877d658d18452bc693b046a2a76461851294f44f4fd163f\r\n291eed0d38fe2a0e08bf8bf207b4e1a521bce442e675fe3621c545ac1223c069\r\nb19e62bf6617aec9cdc3d7f96fcfc23a63c1587099e632fff025ef51278d7dd4\r\n1fe03f53fca1151eae46b3026d3b4f54f33dd3f235abb8b613adebe6ff31e385\r\n3e5685381ca9ecc0fe592a39410b1ce079d069c2642537614852bfb4bd925003\r\n02c10ef570d587d798c1e996fcec2d60b23be098e77694e4bfcc35818a8c9b20\r\n7a29eb9a38d43b86698fa5a9e245eb8b27a0a27407e7d1ac8025db93b3926449\r\nbd7510baa936badee2c828d9e563994e489396baf5538eda224482e54766554c\r\n433ed1c9ca574cc7d179252d94d1a0b6afe5cfcb6724491c86ae230f0a5c692e\r\neecf481a6429117419fba24552a0a2ad690e40fdebfc51b4d83c5560188b32a7\r\n737b0f10471e7d73ec2227dba9250c5130f16b083bc34773e112d72ded4f9e8b\r\n8553959c6311aa9d127ada87a60ff1a9b50fe6a90388978ed1edea76277d2191\r\n750995e29c178cb75e2602a1640276c08f73055a70657dbc274a0a32b81b3f9c\r\nf0b067ded59292e46d0591dc9e609f0f9ee44d2a20f94613b3055abc525fc5ec\r\n10149bf87feb3276a7d6bfb864864c655b4e11aa2ed6d677c177353dbffdfc25\r\nf17863323f4b772be857efe9727d619a678c633b1bb2f97f0d885f584685cb60\r\n76ddb6dbbbc196bd72f6c243f96cb564e43711d95fe8bef0e0c384d7a2629790\r\n38e1ff632d9ac836a9f66d5b011ba7bd4ccbe097518135d9c6223b1287eb4711\r\ne7254c9407d43e354acc21c0758c2cbb55a7cfb505abfff189d81cea5743f3b6\r\n04971450515772684479fb5287933f0b2c7ad93433e3c69b7f235b57a1e2f128\r\nf1076ddd97862d36741a916fd6d08ef1397d1c7cb540240a0a11821e65339e27\r\na310e24a341bcdee48a8809624b83ea3936109e85781f678faa1e689e79f6987\r\nec2c6d2747c6c64d66c84ec2fbfc826d564dbf8d682069ca928a13df4aea19e5\r\ne9bad189d2ddd095081b8f3021ce208a18b4acab7c91b1b03dac152c8f5d9479\r\nbe072317ffe55b115fe4487d40dbe5540be7ac70f438441c9e04a8cadb15fea4\r\n4101c74a521ffd0b9b3612fb68463219546bcee5de025e550a107d9b166fb014\r\n66921675bfb81e0d421558f3040788294c1187facdb6d995c3ff01e07dd90b87\r\n9000027ab595bd189e817e81d04ac0da6eed31435905186c063fd97d4faf050a\r\n34409c20c3fa37509b3005ae1ca46b79927668636a596edaa2aba17168620c80\r\nc27897d027f65dfcf24736f29c833122d336b2f81ce81a7e2ec1f4790ad14a81\r\n4ed52fa4dcfa57186321211eec23375b7aee513cb3768e7f73d3fdaa56e04711\r\n15934abb6f87f6524821c1b705e930284294a9d1bf5c82f18f3c85acb97a514a\r\n295ec383bca0df3673988083545301e787970d770de470b4c95e9e1e071adf5e\r\ne667a01dcadcc35b8c9c2c995e5e421f308de18f1b7c025dbb119375dc70ff0c\r\n66c12d55e157dc4a0eb24f766e650daf516553455d789598fbe84e69eeecc7c4\r\n7fbceb75a87b853c2a654ad50022a7a1d3e6aad60316719a2cc6b1ac20cb4e43\r\n0836b272ffce3f1b521062ca1c38f748a26d06cec15ea0356638633cbdb2ba53\r\nb8747a987023ed3f0c2037004cfa79b179e3cb4f45ef867529ee7c803d030e14\r\n6bb8477fb9fcfb71db0826c700f47ef2d80606b7c9077dbce4b7254ae3db31eb\r\n68cb2951432abdd01fcc8deab8b532c86a885a28dbb153f0ac3e344f94b0d700\r\n00648ec07eb8960c8575f4895c7144a60bcc0ae377a7f2cf494461460e8c6e7e\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 24 of 28\n\n5c760518415d0bb341c74333c70edd3a2881439a033fac7d4f97aa9d7d67c870\r\n060ca8f51ea06930057376c297e0ec63228f1f3d7c76b526729d8ddd7abb0882\r\n1be9bbc42dd8893e2eada6fbc2f6213f76d1500a467ac3ab5f3cc95745509f0e\r\n2bd52bf833bfdda313e96a734f9860893d4e2f93974b3531faf5af88f10db84b\r\n1e9fd0235b73788a8501fff71650129a445f4fe2b0ad97a15a63d9f0c19f349d\r\nb7263ca0af63c8ec330a4ff62d3c2c77aca4092b9c855cfa4b0a934108e43924\r\n277e472088dead8947e72e03387b670b85b14d73bed01d6de03bb7c42a5cb9ad\r\n316522e4f97f2d4f6d568093a043624cbb02d46eb5a7e0f6accfdb188cf1528f\r\nce49da92395aac3471bce77e49d84c527aaacfadf7b517a192ff9edb02655a06\r\nb0d0e414f0cfbf44ded2ce467bd483d566aa5aaeab6d1fba75338a9fc04f6fb3\r\ne1a882a28f8053e96c4b6ab5648956b108cfe79170cb608d396ba455da099ec6\r\n491a055581260b3b5c639bbec3c6c04bbc0db7d17e0b8b9cc5109c86b6aa3ad1\r\n277d27828068293d9b9887482f5e77a787f83212289901c485480bfb0fce26bb\r\n13d17a83959f398a303329eb63317791ed03ae30b15696de9c136cc3d97f953d\r\n03655588004affd0d5761d961f20648086458a97bf973a9011cae56968c8e96d\r\n8ace05215d51668fa14ca0ec731e59823d0cb392cf1313868da5750562771651\r\ne2aed629ae9a752d1ba02149b2225a7cc1ed246131cddcba0f0b0540bf0dc045\r\n3824d9ec7507fd567da81996592ff8003c8d7041a26f4faae98a901127644bdf\r\n3c22205d4adc025ea1325fe8879e5d8f2c12270a5fe22da325c297c744826644\r\n59fc7c8e2c8bed1f381630c6016ecacc4ecd9f1bcbf4b5a6139be9d47083a8ae\r\n7149d25fe6e1a335322087f7be5494a24e246d43267286b945f4db1307764883\r\n5e767ab245543fc4edb71cf5a3b54bdbc96ec7e3f84e171ee65ecf59f8884090\r\nb342bc2b980b2ede862c104224dbb4784df5019b6f338bbd0c6784f27696715f\r\nf11e2320f00e1737dcb44c433cbda5a7c84a00f547e108a185c21bd350a913a6\r\n82bb3154f394418dc7664935de651ded32e12e85d289a27c75211d4037b1957f\r\n6d0606c4fcb65639c8d1ce5e7995268a2a89f21bac9f91096fe00da157517d66\r\ndae8d642c9911371c9c435e980239d262c179d0797d4dea959002f14e7613a17\r\n09dd021835938eb6c6ec930950b41815cd4d7702f35c06faccf3b133e4004861\r\nf0c30f73412470e8411770b12b2d4f6ab917cabce55517ae348a7697e23a2c3f\r\nfe6e0f82a1f503d5d595691f6bff426fd8381477d21b9d23c4ee103de5e6a6a6\r\n52bb518a4e7906fa68a4a0bb1813dc4c4ae575a891ae9730573738e032c24c5f\r\nbf6aeb53a7beb8460e18f5b546fa3ea215837fe6819021e3306dbdfa2dde0789\r\n62068961c64d65544dcabb5640fcbd50a05694732823b53cadb82cddc0d72c64\r\n98ece7de8b60e356d6a965c8fecc089b86e67e2c29faa941f7cae0a64537abb9\r\n39b14c7b01c68dbd67963156b813ff89c3755b4f12643e6bc92f6ff4b14f40ee\r\n7d7245b0e82b6f570c65da62720f419cbfc11ae4abeb7d062bef1fccb7dd667c\r\ncc84071ebf2a49ff92f12efec31736d0dfcb8a028d62ed65668c9b6641012d97\r\necd96450a7f835bbd469dfec0e439cb6aa83b45830a6732e622b092e6173514d\r\n959e75dbe87d962c5e65ad9059f2f73e3f1ce6e4e13cd349adc1bb209cbade5f\r\ncf83ef20629f4ef2cd3ffe3dd7861e321bc3d2dfe6f6aeaf8447bb0a1ca8b042\r\na42fdf3685f82a662136a36099ba05ef38d2282fac999ce29d4dc183f8bfb01a\r\nb576fa9d8cdc7ff7e788f2cc4b460dfe284c8abf0cbdc16f26704c0e82771bd1\r\n3357103a936771b6a07ad55ee10d2fba8c3bc287d9a7761bb773f242ef979357\r\nccbe1d4c7ad7296788dfca1e0a2f45a3c065defcbd2d639ac98809d5d469c124\r\naa024428adc6a1eb38fb1c26a73224f5a9d221b1b0c92de2fedd6fba7322d415\r\n84919891e03f6de5bce0855627644a13ad5c616bcb654d1509e60308640de678\r\n4dd4374787c01ce4de4c389b03442e6b0ebed570bfad642d4cf42ce6b30a38e2\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 25 of 28\n\n6ec195c71e7f5b2561381e6457ff3c90255cde408d6c2451bc7342c945767161\r\nba0c598fb174eb943d66e908065566e7698f0946a368f05135b004761239761f\r\n2c1d4304c0ac9b2481669e6aefef515aa69f8f8cea4f2cac41dafae8d76ac2a8\r\n0cfb09396d1891b95710302b0bc2e8031279805510b7b47ee151daaecb79f7fa\r\n0b84d8793c5362b0d10f238fd2bcf8fc4a1d063ea1c4e767f2d7081872b1a050\r\na35863cf5014a3c7c3aeee5f80e59635885c0893b3fb9325869c9a4de8df412f\r\n7a7be7f6e662a8f7c2039de122ca08da4193d681b8a8a4ac5a25de6223ebcdf4\r\nbe2870dc539c827d85401d865166db981ba2a136629fe25ea466ec0ecbbf6e48\r\n78e536063c280fadb0a78c24c976cd70c0bc0139908b8ec1805c8faa676a8027\r\n9e030cd415efb6e040d03a3f69dada5d4f08c0c430cf8400be706c2d254c42ec\r\nf8e27ad560a6b5a2fe9f156cf8bcf2dd2fc57cb6c620cd1a3159f124e41af8c0\r\n50d35c2baa8045c6455d26370142942bcc6d7c648250cdeb76f1a771c2ad13e2\r\nf4c44d4c9f98f0a738837b3bc5965558915522be3f44a9c31fa5560546ff96fc\r\nf504e794ee3f7f537177a22afdd0a830e4a96e1531734171919c86f96909f334\r\nf70997b46388f104340a35e901dd3172a4a98b2bc08cf75ea5a9f79831b0f84d\r\nea123c9b6299186b1319ec6572bd16fb6a28185f2e9ddb9aa1bf3e52f1911b5d\r\n76baee103f6d1e0f63a22deefff38e815e53c1f9627f41b9220cc08cd32e5434\r\nde88e75b519fd4c118e3756b2ca48ebfbbeae1c084603e642022c074676de362\r\n7ccb34bd9651f6f27d531128d839d8d0c1853f2b6f29fed69b7e19448bfd3024\r\nfaad82acc0652954a8dced1b5b119189be888e897fe7b4378587627d9a1ab0ed\r\n53bbc252c80c752c62dab6a1c8f9d200c20e1e35789bf87716b866c649401e5f\r\n2dc6944f17feefdcb4ed6f2faef0abe0af4f3e883c3d1dbed136a7458438398f\r\n32422502bcdeeea7371d8a17307da010af8d30ae20eb3d6d6c52685448646931\r\n76229d35d18642da6e365259353937c22b4e2dfb933e6dd9f6e5825c33f39681\r\n9918d0b4a9d3a2775d8fa813db7d8110b47903c23056a60ce70e200dc33ed019\r\n66ad5506a0b31b6ad852f2609354d507085b311f6bd67d68ec3f6c7f73b36bf8\r\n3a8d43e2d37874ed3dfcb68d3f77ffed07e7ba5a0fc91707c9a920427410ed34\r\nb720c635fcade5e16367ab730b6b7ef09a31d0cf579ffe5bb115b8d3264047bc\r\n24de434e2c57449c820f49c0c6e49b529964904b2e534edf6d2e92515d9546ee\r\n44320a15b6bead25ac56454e8ecc65071136d25e55074356bfa9ceabbeb62012\r\na8714f23b9805dd8421f2817381fbe1a8d4141ee612a452b954394481ccd19ab\r\n9f4c4e2f52ef3c30949d2b12e69062a434f3413aff92f6460a9b3151a4850514\r\n0df480f2bec98324d9a870e5019eb64f4858bcb8daf66163700e0cb6a2937767\r\n3d3c726175d7b31be7471eb3198861a1642aa1226d9634bf6aa593a4fb9d3bcc\r\nf71e494c7c028b165f7956fea8144ffc0edaf538c0147e59754f61788c47938a\r\n35fd7e301a0e78a759cd50414b9d0cfe1b4d6c5c9316bf3f8dc5afb388f0ad7e\r\n526e70806ea478014016fb49cd9f297d15e3c9d322aae366f9b0a521c8ea0efa\r\n4f62a36d85afcaf7b6417b60a45f17d5a921aaa5614c83135b29c0419c02e199\r\n85eb95c03b47f3f5c0f4003a444ee976ebbc1d36a427d9ba576e5b7fe51f23f3\r\nf3f85da23f46c34b270c1d82c01521586e2130ded1c3b55ae8f5a5a0f59f1001\r\n813ebe94ed822fc8c2b42904602e62363b1a24ac95d8d0d56990e1d92afdd8c1\r\n33f54e062132e8846af89f6f6e37ee191a177c6c9eff3cfe1b784e2ad14e8c43\r\n385827beab7a004fd55ac137b9a19f88829e3f4d4bfbca6b6ffce6d49d1dcd37\r\n29db21426f77a935c7b82a973ec62f97a3627b5967b0a2a8bb4c4a078c6f02de\r\nec8da89ced1ba93ff9e9ad0674cf487b40bc8aa66ef37d52bdb6972d20059886\r\nbda55e17c599b80c688e93249375fb027754aef373ecf8a05f205f1ff4bbf21d\r\n07c38e258efe82eae706fa4b53826082e1246188383910e13e7e524d02b8c814\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 26 of 28\n\nd6cee6f5c99675818a8a523df6864c6b8cec92729b1e4e5aa5aa1e11b87be528\r\n81e5f237a9432a1068290a0bf59f5e3e889009ab38c4113ffe587445f452e396\r\n8992be7dcc77bbe8d2010b49c71b99badf860d4ca064e71005076801ff9fb9fd\r\n67a823dd0acd8fc0d86e402b90564670b6c88d6872d263f31169acba325a18ba\r\n1aad661acc01d544c084fa5f1957c1f61480feebc28e0e63c42b9f0324b4b651\r\n36ba85a2d278fb599de9dd36adbe289c39264055996b764d8979f45bcf123535\r\n8f241077b523d9db54c5075303fb88e1416804a33fa2575d64650b714c0dc94b\r\nc082a8a175ffa2d35a93851a8c963224fe29938eac91fbadfe299c7a1e72139c\r\n5eb5e0022df44e595f2b362f6eb5278a2211d317fed684e584901bf507d5a033\r\n99cd4d6be9a58331cb148cf0696d60c40ac72c8a46ba592c984bf9bfffb07ede\r\nc05402a8708719dde5ad315d9e4236c5128ad8cd7ca1fc28228b4836061d7503\r\nbc0e103c8eae02eba219cfa761eef4924385c7328dd59e6b72f49babf8f3189a\r\n159d09cdbd90e5ce221f9ca7fd30646268cb2521d4279d707b346602b0eda59d\r\nd6c67ba1b4a3cfdd48e8f835e12d898b79e5741bab699c3956f615fe6bf28572\r\n636137367dd6f556f0740e9361edfc2418d3f4cac4fc166f174da18c3e2c7131\r\n655d514709f31f22ab07b16fbd33c2cffbf8abc1331027a3f144558e09970d4b\r\nb54b0c73ba7f1b37b7af59ad459aefae4dbc3cc0c7a324ac94ca39bc23580c0c\r\n2171f379b875969f797ebe9c23bc46d827ff221c5da4ed8cdd65bc4b2855ce7d\r\nef80c882447928a079e7d786fd680d6b6c2a1a3751841165a49b00226aebc2ff\r\n37af5ff460fc62d754829b7ade4ae1e0b6c4881fece1e3f089032d12301c0bb0\r\n1fa15197c1e9a1fa5dfb1916c6a514778a609889193f9b65f24383a4b7693ec5\r\ne432256ff7867c4abeb51885011d5f65b09566e11782147a9e2b47d55b8adf8d\r\n42409f1eb65931970e4063c2ed63a8ee44d2f5c6c5853bf2ec35686d2766e268\r\n18622af49909851dfdfc7926fd23285784b5efd3adfd4293663003825025d88f\r\n4dc61ea009d78dfe1399c5c7fc9c60ed6a144378cc51753cf495819c22c247ee\r\nd21f035e7429a0f801155a1ccb22d8d782867aa46b960b6909b74212749bd821\r\n64f5687a6b2e99953e18c218fd184883cea7009a10fc680da520ecefda5338c1\r\na06e1dc7e077b073bf3b8e616efcf67b8ff9428293fcb89ae6f937a1a0a5b3d8\r\nba11b9b4c9e0084e5ae5d0de45761b6bd6ebbb62d41c93c7a23ceeda8461d4b1\r\nd608b33a3c5695e828b7afec1ff9276b42cf750f7fb42a14079b4b29a7b59c3e\r\n57baab61c3e3e5af27c22ef7a6c9ebdc6c280cc9ac3840572c76827954656a54\r\n6f93663fdea32014c733f460385ed3a55cabaafbc798283edf1ec1b1c12203a2\r\nf091381bb04045479f969e5f5dbcb8325590bf278b29d760bbc9bc08adb97e63\r\n988316a8842a2be9636a222a8b6f1d22f6587e4f648473d2b9166946c2b2b90f\r\n1602287d45ea448e91c4605cc8c5301d264cc2785c8ecb0aa3526bcf0e6b74a8\r\nbfefbd8050f0dfbe1047ddcc07e951967a5b8395190127d97d0c3a4441c919bf\r\n517dc095b262c6eeb7d80c3b025728278cc251f4e244af1c7eafff135a41ba4a\r\nf13de5281ef8a3bdec7e6f309870ffe9613da4796baa4ba8a37b748002bc06ab\r\n9c748ece1010fa49b15faf8e589709381b08e5451c00774b538ad3020e2291bf\r\n757bdd96c6547a00d13e88c58995fd3d9372bc7ff0fa717402337d9ea7cff513\r\ndbbc786378fb59ade9c6c99baec054206ac4504328e4be7044a624170a6c1863\r\n8cd8d977dc8764927c9d7dd24b79c984fa94ef9aa1b309363d61a759ed9ad8e5\r\n909ffaca9d78ba1e391fa62382770774f37204fdc5de24ec4234d5bc636d38b0\r\n2c78fce765f51d101fb68e4cc3e98ee2cf949ca8a8d987f4b5d01fa4158239b2\r\n62f655f3e9766e9923c6241859d567339c643ee5bad7f6ebe43b2ffd94e93d0e\r\n1f9d3dc21f1f816e5b816d3633ad9ec2696138519d2da972f179a8ccb4689f83\r\nfc31b4107bec4352fac3e1a13d91031b6b49969e21abff2301609219c43cd472\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 27 of 28\n\n7f2413783e24f161a06e13fa1e3ba14d8455e9e6de1bb71eb5082f80251c1e30\r\n97878c51723426766561d3c3c319cf649d049514b1330c90389c2b5d45cbc759\r\n74e9408af14a09e5c8af61780dc62112054876ae357da3f6ebf8319799b14d14\r\na10486e5696f8585ed7c88e4bcfb440eea7b67ece05e6a871572282916f72d0b\r\n885bc554e5fc03b250b359afd5a360431bd4768f60772a60a66c65a241909e49\r\n46fda32fdf5d29190b8315e30e1fd6df3a4aaf43308c8a354a6be203a892e6ab\r\nc3d4e6bb0c9f22101a14c8455677acf98fdae3e2cb8063c76c5119b92c73e0d7\r\n243460e5b641862bed80bd004ff280f3ae97fe18415616401ce33988402a14dd\r\n3eb2472ea1d712d6285ca3a442debdad94575a4d1fb9b9caf67c41dd255e98c0\r\n4e987f55eabd6f9efd1947dbcdf85af455a1f7087962019f23f66a308a1073c8\r\n451057e11ab32bd3f6e7d71b8709c287c1d82e4e2036df712d688f7e0afc73b6\r\n9679abcdadaf4dfb9f3ae2a79b7bbaec08921483ae45e4486397dbd4afcbd462\r\n9a43f3338818991e28edd5e4be7531bfe2c5dbd4ffb3f55a05969e99141c8001\r\n6e6b891c5b86dc44cf37398291e01e623408e2bf7c47b88fc557e5fd222e140e\r\n490ae3ed23b6e40d1e7b6fd8b20ba69d4c20d9cbc5e7a53d9bc3a1824d4c45e9\r\n1977b89113e160518a917cd3a0da2e1e61c466251a0690464d425c191e3efbe5\r\n1efb2130e792e899d3fee5b0582e61b54f9bdafd00ae43e727d618d462a64a42\r\n8772387a55e177ff01fa20b6941dddde054c594eee8098cdf96a57e2ccb78b7d\r\nabed1f8ff3882e4737125b583f703683c3ac5786c8732832953e4e528d3af5f9\r\n0484de9ff7c50e22ba4cbc6d9e20fe5d680ee352af1d3a650df0c770848d9b90\r\n44821f79cf871b34e62aa86ee3e4577a18dca74a39f743081e2a8dec994025e8\r\ncf830a8c2868b346090401ff03c4ab44b13f50e33534add2c101ee8ff362776e\r\n28c495032494011c1b70b68ce584a929841ba9ba0d22a83e4084e886f6db2721\r\n88543e7295c60ecbd0063c71bb6d4a9d2a3397c79cc19c6f3213d88527a4d3bc\r\nb5ceafde9b29c186afd1a17ab534ccb1f578ff9a3de9d8b20ad55f437fc030cc\r\ne560a9c1961eff0a0cc1dc309dd03511b43d7bba36571caa6dc2e36132126e65\r\nf74fec6680f946ad601522ba1f87d58c0fd8c4747ec181083134fc4d353fc0f0\r\n19782d2daa25113c0d57c2a3e980bc224150055159acfe852e520803a905e908\r\n5e43116e3b18615353968d8d7acd8f535aa8cb95568e78bb6ad926db6688d37e\r\naa54bce71f6e34a0f20f87085150a5060764fa4a594a7f6d91d01779f03023a9\r\nd55319e0315279969ce264b10da904aaf38fc16ea29b4ea30624a0c2fcf7fc5d\r\n939aeff288528182c81cbadce24a687fc962fa8c50b1e696169be8f4e7c4fcc9\r\n195e76b41f7256e146e5b3aedd8dcdb6e15fd40deb8159b46c8e8b2af157aae5\r\ne287aea0eb69b9b98dda453b22c3defbd00f344b2258ec2fb57677e77571d089\r\n2238e42e6cd3db765c046bdecb28bab4142f9b9c8df59a1f55bfb93e499e5825\r\nb9f7c411d951fa455180aa9e293ce1bcc9939b8040b726cb57f9afdf718603b5\r\ncf8d41d14f7d2ed82b6b0199a0335b15c2956c403607fc92af11378e4c02f577\r\n37f5b2c50274063c5948e5a425e50528205bb0adfe4d7084b4d756b0de594289\r\n5aaedf8c7d06cab042b23025ec4c0ab1215009178a6dbd44d1e6edad527356eb\r\nSource: https://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nhttps://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/\r\nPage 28 of 28\n\nSCCJZ resource into \"089377328364273...981972063544\" the res_SCCJZ_buffer. It has also string to decode the already decoded SCCJZ resource. the configuration It is stored in that includes the\nebp+eax+var_2c8_config_base, where eax is 0x18 (-\u003e \"089377328364273...981972063544\").\n  Page 15 of 28",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/rats-and-stealers-rush-through-heavens/"
	],
	"report_names": [
		"rats-and-stealers-rush-through-heavens"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434050,
	"ts_updated_at": 1775791370,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/366a9e4a628c45618f0766d75351b31da7c0180e.pdf",
		"text": "https://archive.orkl.eu/366a9e4a628c45618f0766d75351b31da7c0180e.txt",
		"img": "https://archive.orkl.eu/366a9e4a628c45618f0766d75351b31da7c0180e.jpg"
	}
}