{
	"id": "19a8f82a-f1bf-4c41-8ac1-49155d76c776",
	"created_at": "2026-04-06T00:17:06.311653Z",
	"updated_at": "2026-04-10T13:11:18.718789Z",
	"deleted_at": null,
	"sha1_hash": "835f2918b1ae6c2259aec2d756d83d8543bdc5dd",
	"title": "PureLogs Stealer: Complete Malware Analysis \u0026 CTF Walkthrough",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3195487,
	"plain_text": "PureLogs Stealer: Complete Malware Analysis \u0026 CTF\r\nWalkthrough\r\nBy Zyad Waleed Elzyat\r\nPublished: 2025-10-18 · Archived: 2026-04-05 20:02:58 UTC\r\nPress enter or click to view image in full size\r\nExecutive Summary\r\nPureLogs represents a new generation of Windows information stealers that combines sophisticated obfuscation\r\ntechniques, robust anti-analysis mechanisms, and military-grade encryption to evade detection and exfiltrate\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 1 of 19\n\nsensitive data. This analysis reveals the malware’s complete attack chain, from initial execution to data exfiltration\r\nover encrypted channels.\r\nKey Findings:\r\nCommercial-grade .NET packer obfuscation\r\nMulti-layered anti-VM and anti-debugging defenses\r\nAES-256 encryption with PBKDF2 key derivation\r\nUAC bypass through COM elevation\r\nGeographic filtering to avoid CIS regions\r\nCredential harvesting from browsers and popular applications\r\nSample Hash (SHA-256): 7505E02F9E72CE781892C01AC7638A8FAC011F39C020CDA61E2EADA9EEE1C31D\r\nAnalysis Challenge: https://malops.io/challenges/10\r\nTable of Contents\r\n1. Introduction\r\n2. Core Capabilities\r\n3. De-obfuscation\r\n4. Mutex Identification\r\n5. Anti-sandboxing\r\n6. Anti-debugging\r\n7. Registry Execution Prevention\r\n8. Process Masquerading\r\n9. Anti-VM \u0026 Anti-Analysis Techniques\r\n10. UAC Bypass \u0026 Privilege Escalation\r\n11. Credential Harvesting (Applications)\r\n12. Data Exfiltration \u0026 C2 Communications\r\n13. AES Encryption Details\r\n14. Self Deletion\r\n15. Conclusion\r\n16. References\r\nIntroduction\r\nPureLogs is a modern Windows-based information stealer specifically designed to harvest credentials, session\r\ntokens, and sensitive data from compromised systems. The malware demonstrates advanced capabilities typical of\r\ncommercial-grade threats, including sophisticated evasion techniques that make detection and analysis particularly\r\nchallenging.\r\nCore Capabilities\r\nBrowser Credential Extraction: Steals saved passwords and session cookies from major browsers\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 2 of 19\n\nApplication Token Harvesting: Targets Discord, Telegram, Steam, and FileZilla authentication data\r\nCryptocurrency Wallet Theft: Extracts wallet information and private keys\r\nSystem Reconnaissance: Collects detailed hardware and software information\r\n.NET Reactor Commercial Packing: Industry-standard obfuscation to hinder reverse engineering\r\nMulti-Stage Anti-Debugging: Detects and terminates when debuggers are present\r\nSandbox Detection: Identifies and avoids known malware analysis environments\r\nProcess Injection: Masquerades as trusted Windows processes\r\nRegistry-Based Execution Control: Prevents multiple infections on the same system\r\nAES-256 Encryption: Protects exfiltrated data using CBC mode\r\nPBKDF2 Key Derivation: Strengthens encryption through password-based key derivation\r\nCustom C2 Protocol: Communicates with command and control servers over specific ports\r\nDE-obfuscation\r\nQuestion 01: PureLogs is obfuscated and packed to hinder static analysis. Which commercial\r\n.NET packer is used to protect the PureLogs binary?\r\nInitial analysis with dnSpy revealed that PureLogs employs heavy obfuscation through a commercial-grade .NET\r\npacker. This protection layer enforces anti-debugging mechanisms and significantly complicates static analysis\r\nefforts.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 3 of 19\n\nTo analyze the sample, I applied .NET Reactor Slayer, a tool that assists in unpacking and deobfuscating .NET\r\nbinaries. Once processed, the binary’s code structure became more legible, revealing the true execution flow and\r\nconfirming the use of layered obfuscation coupled with commercial protection.\r\nPress enter or click to view image in full size\r\nMutex Identification\r\nQuestion 02: What is the name of the mutex created by PureLogs?\r\nThe malware implements a mutex (mutual exclusion object) to ensure only one instance runs on the infected\r\nsystem. This prevents resource conflicts and reduces the chance of detection through unusual system behavior.\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 4 of 19\n\nThrough dynamic debugging and method tracing in the initialization class, I identified the unique mutex name\r\nembedded in the malware’s configuration. This identifier serves as a system-wide lock mechanism for process\r\nmanagement.\r\nPress enter or click to view image in full size\r\nAnti-Sandboxing\r\nQuestion 03: PureLogs includes several anti-analysis checks before proceeding with execution.\r\nOne of them specifically targets a well-known sandboxing tool. What process name does PureLogs\r\ncheck for to detect this sandbox?\r\nModern malware analysis relies heavily on automated sandbox environments that execute suspicious samples in\r\nisolated, monitored conditions. PureLogs implements sophisticated detection mechanisms to identify these\r\nenvironments and terminate before exhibiting malicious behavior.\r\nAfter locating this detection routine within the relevant class, it becomes evident that if the target process is found\r\nrunning, the malware exits immediately — successfully avoiding behavioral logging and artifact generation in\r\nsandboxed conditions.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 5 of 19\n\nNote: When submitting your solution, the correct answer should be written in full as: processName.exe\r\nPress enter or click to view image in full size\r\nAnti-debugging\r\nQuestion 04: PureLogs avoids external analysis by querying a debugger-related state via a process\r\nhandle. What Windows API function is used for this check?\r\nPureLogs implements multiple anti-debugging checks to detect reverse engineering attempts. One sophisticated\r\nmethod involves querying the debugger attachment state through the Windows API.\r\nThis function returns a Boolean value indicating if a debugger is attached, enabling PureLogs to detect debugging\r\nattempts indirectly. By leveraging this API, PureLogs can terminate or alter its behavior when a debugger is\r\ndetected, effectively obstructing dynamic analysis and prolonging its stealth on compromised systems.\r\nPress enter or click to view image in full size\r\nRegistry Execution Prevention\r\nQuestion 05: PureLogs checks a specific registry key to know if it has already run on the system\r\nbefore. What is the full path of that registry key?\r\nThe malware prevents multiple instances of a program from running simultaneously using the Windows Registry\r\nas a lock mechanism. It first checks if a configuration setting in GClass4.string_18 is enabled, and if so, searches\r\nfor a specific registry key under HKEY_CURRENT_USER\\Software\\ with the name stored in\r\nGClass4.string_19.\r\nIf the registry key exists, it means another instance is already running, so the program immediately exits. If the\r\nkey doesn’t exist, the malware proceeds with execution.\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 6 of 19\n\nPress enter or click to view image in full size\r\nProcess Masquerading\r\nQuestion 06: PureLogs modifies its process name and command-line to appear as a legitimate\r\nWindows process. What process name does it use to masquerade as a trusted system process?\r\nProcess masquerading is a sophisticated defense evasion technique where malware disguises itself as legitimate\r\nsystem processes to avoid detection by security software and system administrators.\r\nThe malware checks if the program is running with required privileges or in the correct process context using\r\nClass13.smethod_0(). If the check fails, it performs process injection or replacement by calling\r\nClass12.smethod_4() with the path to a legitimate Windows executable, essentially hiding the malware inside a\r\nlegitimate Windows process.\r\nAfter the injection, it runs cleanup with Class13.smethod_2() and terminates the current process.\r\nAnti-VM and Anti-Analysis Techniques\r\nThe malware implements multiple detection methods to identify virtual machines and analysis environments,\r\nallowing it to evade security researchers and sandboxes.\r\nVirtual Machine Detection\r\nThe malware searches for VM-specific artifacts across multiple system components:\r\nHypervisor Indicators:\r\nVMware products: vmware , vmbox , VMXh\r\nVirtualBox: virtualbox , vbox , innotek gmbh\r\nKVM, Xen, Hyper-V, QEMU, VirtualPC\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 7 of 19\n\nParallels, Fusion, Proxmox, ESXi, vSphere\r\nVirtualization Software:\r\nThinApp, TPVCGateway, TPAutoConnSvc\r\nPress enter or click to view image in full size\r\nAnalysis Tools Detection\r\nThe malware scans for common debugging and network analysis tools to avoid running in monitored\r\nenvironments:\r\nDebuggers:\r\nx32dbg, x64dbg, WinDbg, OllyDbg, dnSpy\r\nIDA Pro, IDA64, Immunity Debugger, HyperDbg\r\nProcess Monitors:\r\nProcess Monitor, Process Hacker, Cheat Engine\r\nNetwork Analysis:\r\nWireshark, Fiddler, Charles, Burp Suite\r\nmitmproxy, OWASP ZAP, Proxyman, HTTPDebugger\r\nHex Editors:\r\nHxD\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 8 of 19\n\nSandbox Environment Detection\r\nThe malware checks for indicators commonly found in malware analysis sandboxes:\r\n1. Screen Resolution Checks: Common sandbox configurations use specific resolutions:\r\n1280×1024\r\n1280×720\r\n1024×768\r\nExecution Path Analysis:\r\nRunning from C:\\ root directory\r\nExecution from temporary directories\r\nExecutable names exceeding 11 characters\r\nKnown Sandbox Usernames: The malware maintains an extensive list of default usernames found in automated\r\nanalysis environments: WALKER , JOHN-PC , Abby , Bruno , george , M0S2hGyR , Frank , verzulli , azure ,\r\nHarry Johnson , dekker , and many more.\r\nPress enter or click to view image in full size\r\nQuestion 07: What WMI class does PureLogs query to retrieve the system’s manufacturer and\r\nmodel?\r\nThe WMI class is associated with the namespace root\\CIMV2 using the query SELECT * FROM WMI_Class\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 9 of 19\n\nPress enter or click to view image in full size\r\nUAC Bypass and Privilege Escalation\r\nThe malware leverages Windows COM (Component Object Model) interfaces through the smethod_1()\r\nfunction:\r\nGet Zyad Waleed Elzyat’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe malware uses the Windows COM elevation moniker technique through the smethod_1() function. It\r\nconstructs a special elevation moniker string using a specific format and calls the Windows CoGetObject function\r\nto instantiate a COM object with elevated privileges.\r\nThis leverages specific Windows COM interfaces that allow silent elevation through trusted system components.\r\nKey COM GUIDs:\r\n6EDD6D74-C007–4E75-B76A-E5740995E24C\r\n3E5FC7F9–9A51–4367–9063-A120244FBEC7\r\nQuestion 08: PureLogs uses a trick to bypass the “Run as Administrator” (UAC) prompt by\r\nstarting a special COM object. What exact string does it add before the COM CLSID to request\r\nan elevated instance?\r\nPureLogs uses a trick to bypass the “Run as Administrator” (UAC) prompt by starting a special COM object.\r\nWhat exact string does it add before the COM CLSID to request an elevated instance?\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 10 of 19\n\nPress enter or click to view image in full size\r\nCredential Harvesting (Applications)\r\nThe malware implements targeted credential theft from popular applications through parallel execution to\r\nmaximize efficiency and speed.\r\nPress enter or click to view image in full size\r\nMulti-Application Targeting\r\nThe smethod_0() function orchestrates credential harvesting based on configuration flags stored in GClass4. It\r\ndynamically builds a list of theft operations and executes them in parallel using Parallel.ForEach with\r\nconfigurable thread limits.\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 11 of 19\n\nThe malware targets four major applications:\r\nFileZilla (FTP client): Extracts server credentials from `recentservers.xml` configuration file\r\nTelegram (messaging): Steals session data and authentication tokens\r\nSteam (gaming platform): Harvests account credentials and session information\r\nDiscord (communication): Performs sophisticated token extraction from local storage database\r\nDiscord Token Extraction\r\nThe Discord credential theft (smethod_2()) demonstrates advanced techniques by targeting the application’s\r\nLevelDB local storage database located in %AppData%\\discord\\Local Storage\\leveldb.\r\nThe malware:\r\n1. Iterates through all .ldb database files in the directory\r\n2. Searches for encrypted Discord authentication tokens using regex pattern dQw4w9WgXcQ:[^\\”]*\r\n3. Extracts and decodes the Base64-encoded token when found\r\n4. Retrieves the master encryption key using Class7.smethod_19() to decrypt protected data\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nData Exfiltration \u0026 C2 Communications\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 12 of 19\n\nThe malware implements comprehensive system reconnaissance and data exfiltration capabilities through the\r\n`smethod_0()` function, which collects detailed victim information.\r\nSystem Information Collection\r\nThe malware gathers extensive hardware and software details from the infected machine:\r\nUser identification: Username (GClass0.GClass1.smethod_1()) and domain name\r\nHardware specifications: GPU model, CPU information, RAM capacity\r\nSystem configuration: Windows version, system architecture (32/64-bit), screen resolution\r\nSecurity software: Installed antivirus products\r\nTimestamp: Current date and time of infection\r\nGeographic and Network Data\r\nThe malware queries geolocation services to determine the victim’s location and network information including\r\ncountry, city, region, ZIP code, public IP address, and timezone.\r\nPress enter or click to view image in full size\r\nQuestion 10: What regex pattern does PureLogs use to find Steam session tokens?\r\nHint: Search for “steam” references inside the `Class5` class to identify the regex pattern used for extracting\r\nSteam session tokens.\r\nQuestion 11: PureLogs adds a unique tag to the stolen data before sending it to the attacker. What\r\nis the exact string it adds to identify this specific build of the malware?\r\nPureLogs adds a unique tag to the stolen data before sending it to the attacker. What is the exact string it adds to\r\nidentify this specific build of the malware?\r\nHint: You will find it in the GClass4 class.\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 13 of 19\n\nLocation Identifications\r\nThe malware implements geographic filtering to avoid infecting systems in specific regions, likely to evade law\r\nenforcement or reduce attention from certain countries.\r\nThe smethod_0() function performs comprehensive location checks to determine if the victim is located in\r\nCommonwealth of Independent States (CIS) countries or Russian-speaking regions.\r\nThe malware queries multiple data points to ensure accurate geographic identification:\r\nThe malware checks against two-letter ISO country codes for the following nations:\r\nRU — Russia\r\nAZ — Azerbaijan\r\nAM — Armenia\r\nBY — Belarus\r\nKZ — Kazakhstan\r\nKG — Kyrgyzstan\r\nMD — Moldova\r\nTJ — Tajikistan\r\nTM — Turkmenistan\r\nUZ — Uzbekistan\r\nPress enter or click to view image in full size\r\nCommand and Control (C2) Communication\r\nQuestion 12: What port number does PureLogs use to communicate with its Command and\r\nControl (C2) server?\r\nAnalysis of network communication indicators reveals TCP client implementation containing hardcoded IP\r\naddress and port number strings for C2 connectivity.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 14 of 19\n\nAES Encryption\r\nAES (Advanced Encryption Standard) is a symmetric encryption algorithm, meaning it uses the same key to both\r\nencrypt and decrypt data.\r\nPress enter or click to view image in full size\r\nAES Modes of Operation\r\nAES operates on 128-bit blocks only. To encrypt longer messages, we use modes of operation — these are often\r\nreferred to as “AES methods” in practice.\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 15 of 19\n\nQuestion 13: What mode of AES does PureLogs use to encrypt stolen data?\r\nWhat mode of AES does PureLogs use to encrypt stolen data?\r\ninternal static byte[] Encrypt(byte[] plainBytes, byte[] passwordBytes)\r\n{\r\n byte[] encryptedBytes = null;\r\n \r\n byte[] salt = new byte[]\r\n {\r\n 117, 45, 158, 253, 184, 172, 96, 158,\r\n 239, 125, 30, 70, 145, 225, 3, 161\r\n };\r\n using (MemoryStream ms = new MemoryStream())\r\n {\r\n using (RijndaelManaged aes = new RijndaelManaged())\r\n {\r\n aes.KeySize = 256;\r\n aes.BlockSize = 128;\r\n \r\n Rfc2898DeriveBytes keyGen = new Rfc2898DeriveBytes(passwordBytes, salt, 1000);\r\n aes.Key = keyGen.GetBytes(aes.KeySize / 8);\r\n aes.IV = keyGen.GetBytes(aes.BlockSize / 8);\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 16 of 19\n\naes.Mode = CipherMode.CBC;\r\n \r\n using (CryptoStream cs = new CryptoStream(ms, aes.CreateEncryptor(), CryptoStreamMode.Wri\r\n {\r\n cs.Write(plainBytes, 0, plainBytes.Length);\r\n cs.Close();\r\n }\r\n encryptedBytes = ms.ToArray();\r\n }\r\n }\r\n return encryptedBytes;\r\n}\r\nWhy It’s CBC Mode\r\nIn the encryption function, the code sets:\r\nrijndaelManaged.Mode = 1;\r\nThe number 1 corresponds to the CBC mode in the `CipherMode` enumeration:\r\nQuestion 14: What is the length (in bytes) of the derived Initialization Vector (IV) used in the\r\nencryption?\r\nHint: Default is 128 bit, so just do: 128 / 8 = Answer\r\nQuestion 15: What algorithm is used to derive the AES key and IV from the SHA-512 hash in\r\nPureLogs?\r\nWhat algorithm is used to derive the AES key and IV from the SHA-512 hash in PureLogs?\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 17 of 19\n\nBased on this line:\r\nRfc2898DeriveBytes keyGen = new Rfc2898DeriveBytes(passwordBytes, salt, 1000);\r\nIn .NET, the class **Rfc2898DeriveBytes** is **Microsoft’s implementation of the PBKDF2 algorithm**. Its\r\nname literally comes from the standard that defines PBKDF2:\r\nRFC 2898 → “PKCS #5: Password-Based Cryptography Specification Version 2.0”So whenever you see this\r\nclass being used, you can directly conclude: The program is using PBKDF2.\r\nQuestion 16: What fixed salt value is used in the PBKDF2 function in PureLogs (in\r\nhex starts as 0x)?\r\nWhat fixed salt value is used in the PBKDF2 function in PureLogs (in hex starting with 0x)?\r\nHint: You will find an array containing data in decimal format. Convert it to hex and start it with 0x\r\nSelf Deletion\r\nThe malware implements a self-deletion mechanism to remove traces of its execution from the infected system.\r\n1. `/C` — Executes the command and terminates\r\n2. `choice /C Y /N /D Y /T 3` — Waits 3 seconds before proceeding\r\n3. `/C Y` — Accepts only ‘Y’ as valid input\r\n4. `/N` — Hides choice list\r\n5. `/D Y` — Default choice after timeout\r\n6. `/T 3` — Timeout in 3 seconds\r\n7. `\u0026` — Command separator\r\n8. `Del “\u003cpath\u003e”` — Deletes the malware executable\r\ninternal static void smethod_2()\r\n{\r\n try\r\n {\r\n Process.Start(new ProcessStartInfo\r\n {\r\n Arguments = \"/C choice /C Y /N /D Y /T 3 \u0026 Del \\\"\" +\r\n Assembly.GetExecutingAssembly().Location + \"\\\"\",\r\n WindowStyle = ProcessWindowStyle.Hidden,\r\n CreateNoWindow = true,\r\n FileName = \"cmd.exe\"\r\n });\r\n Environment.Exit(0);\r\n }\r\n catch\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 18 of 19\n\n{\r\n Environment.Exit(0);\r\n }\r\n}\r\nPress enter or click to view image in full size\r\nConclusion\r\nThe PureLogs Stealer is a highly modular information stealer integrating multi-layered .NET obfuscation, AES-256 encryption, and strong anti-analysis features. Its detailed encryption design using CBC mode and PBKDF2\r\nkey derivation ensures secure exfiltration, while evasion mechanisms hinder dynamic or sandboxed examination.\r\nThis sample reflects the increasing sophistication of commodity stealers, merging C2 resilience, cryptographic\r\nrigor, and AI-resistant evasion measures — emphasizing the need for proactive detection engineering and\r\nmachine-assisted malware analysis workflows.\r\nReferences\r\n1. Simplilearn. “AES Encryption: Secure Data with Advanced Encryption Standard (AES).” Retrieved October\r\n2025. https://www.simplilearn.com/tutorials/cryptography-tutorial/aes-encryption\r\n2. DExpose.io. “PureLogger Deep Analysis: Evasion, Data Theft, and Encryption Mechanism.” Published August\r\n2025. https://www.dexpose.io/purelogger-deep-analysis-evasion-data-theft-and-encryption-mechanism/\r\nSource: https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nhttps://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@0xzyadelzyat/purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd"
	],
	"report_names": [
		"purelogs-stealer-complete-malware-analysis-ctf-walkthrough-83e41e7c6efd"
	],
	"threat_actors": [],
	"ts_created_at": 1775434626,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/835f2918b1ae6c2259aec2d756d83d8543bdc5dd.pdf",
		"text": "https://archive.orkl.eu/835f2918b1ae6c2259aec2d756d83d8543bdc5dd.txt",
		"img": "https://archive.orkl.eu/835f2918b1ae6c2259aec2d756d83d8543bdc5dd.jpg"
	}
}