import "pe" rule check_installed_software { meta: description = "Detect check installed software through registry" author = "Thomas Roccia | @fr0gger_" strings: $s1 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" wide condition: uint16(0) == 0x5A4D and $s1 or pe.imports("Advapi32.dll", "RegQueryValueEx") }