/* This file is part of Manalyze. Manalyze is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. Manalyze is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with Manalyze. If not, see <http://www.gnu.org/licenses/>. */ rule System_Tools { meta: description = "Contains references to system / monitoring tools" author = "Ivan Kwiatkowski (@JusticeRage)" strings: $a0 = "wireshark.exe" nocase wide ascii $a1 = "ethereal.exe" nocase wide ascii $a2 = "netstat.exe" nocase wide ascii $a3 = /taskm(an|gr|on).exe/ nocase wide ascii $a4 = /regedit(32)?.exe/ nocase wide ascii $a5 = "sc.exe" nocase wide ascii $a6 = "procexp.exe" nocase wide ascii $a7 = "procmon.exe" nocase wide ascii $a8 = "netmon.exe" nocase wide ascii $a9 = "regmon.exe" nocase wide ascii $a10 = "filemon.exe" nocase wide ascii $a11 = "msconfig.exe" nocase wide ascii $a12 = "vssadmin.exe" nocase wide ascii $a13 = "bcdedit.exe" nocase wide ascii $a14 = "dumpcap.exe" nocase wide ascii $a15 = "tcpdump.exe" nocase wide ascii $a16 = "mshta.exe" nocase wide ascii // Used by DUBNIUM to download files $a17 = "control.exe" nocase wide ascii // Used by EquationGroup to launch DLLs $a18 = "regsvr32.exe" nocase wide ascii $a19 = "rundll32.exe" nocase wide ascii condition: any of them } rule Browsers { meta: description = "Contains references to internet browsers" author = "Ivan Kwiatkowski (@JusticeRage)" strings: $ie = "iexplore.exe" nocase wide ascii $ff = "firefox.exe" nocase wide ascii $ff_key = "key3.db" $ff_log = "signons.sqlite" $chrome = "chrome.exe" nocase wide ascii // TODO: Add user-agent strings condition: any of them } rule RE_Tools { meta: description = "Contains references to debugging or reversing tools" author = "Ivan Kwiatkowski (@JusticeRage)" strings: $a0 = /ida(q)?(64)?.exe/ nocase wide ascii $a1 = "ImmunityDebugger.exe" nocase wide ascii $a2 = "ollydbg.exe" nocase wide ascii $a3 = "lordpe.exe" nocase wide ascii $a4 = "peid.exe" nocase wide ascii $a5 = "windbg.exe" nocase wide ascii condition: any of them } rule Antivirus { meta: description = "Contains references to security software" author = "Jerome Athias" source = "Metasploit's killav.rb script" strings: $a0 = "AAWTray.exe" nocase wide ascii $a1 = "Ad-Aware.exe" nocase wide ascii $a2 = "MSASCui.exe" nocase wide ascii $a3 = "_avp32.exe" nocase wide ascii $a4 = "_avpcc.exe" nocase wide ascii $a5 = "_avpm.exe" nocase wide ascii $a6 = "aAvgApi.exe" nocase wide ascii $a7 = "ackwin32.exe" nocase wide ascii $a8 = "adaware.exe" nocase wide ascii $a9 = "advxdwin.exe" nocase wide ascii $a10 = "agentsvr.exe" nocase wide ascii $a11 = "agentw.exe" nocase wide ascii $a12 = "alertsvc.exe" nocase wide ascii $a13 = "alevir.exe" nocase wide ascii $a14 = "alogserv.exe" nocase wide ascii $a15 = "amon9x.exe" nocase wide ascii $a16 = "anti-trojan.exe" nocase wide ascii $a17 = "antivirus.exe" nocase wide ascii $a18 = "ants.exe" nocase wide ascii $a19 = "apimonitor.exe" nocase wide ascii $a20 = "aplica32.exe" nocase wide ascii $a21 = "apvxdwin.exe" nocase wide ascii $a22 = "arr.exe" nocase wide ascii $a23 = "atcon.exe" nocase wide ascii $a24 = "atguard.exe" nocase wide ascii $a25 = "atro55en.exe" nocase wide ascii $a26 = "atupdater.exe" nocase wide ascii $a27 = "atwatch.exe" nocase wide ascii $a28 = "au.exe" nocase wide ascii $a29 = "aupdate.exe" nocase wide ascii $a31 = "autodown.exe" nocase wide ascii $a32 = "autotrace.exe" nocase wide ascii $a33 = "autoupdate.exe" nocase wide ascii $a34 = "avconsol.exe" nocase wide ascii $a35 = "ave32.exe" nocase wide ascii $a36 = "avgcc32.exe" nocase wide ascii $a37 = "avgctrl.exe" nocase wide ascii $a38 = "avgemc.exe" nocase wide ascii $a39 = "avgnt.exe" nocase wide ascii $a40 = "avgrsx.exe" nocase wide ascii $a41 = "avgserv.exe" nocase wide ascii $a42 = "avgserv9.exe" nocase wide ascii $a43 = /av(gui|guard|center|gtray|gidsagent|gwdsvc|grsa|gcsrva|gcsrvx).exe/ nocase wide ascii $a44 = "avgw.exe" nocase wide ascii $a45 = "avkpop.exe" nocase wide ascii $a46 = "avkserv.exe" nocase wide ascii $a47 = "avkservice.exe" nocase wide ascii $a48 = "avkwctl9.exe" nocase wide ascii $a49 = "avltmain.exe" nocase wide ascii $a50 = "avnt.exe" nocase wide ascii $a51 = "avp.exe" nocase wide ascii $a52 = "avp.exe" nocase wide ascii $a53 = "avp32.exe" nocase wide ascii $a54 = "avpcc.exe" nocase wide ascii $a55 = "avpdos32.exe" nocase wide ascii $a56 = "avpm.exe" nocase wide ascii $a57 = "avptc32.exe" nocase wide ascii $a58 = "avpupd.exe" nocase wide ascii $a59 = "avsched32.exe" nocase wide ascii $a60 = "avsynmgr.exe" nocase wide ascii $a61 = "avwin.exe" nocase wide ascii $a62 = "avwin95.exe" nocase wide ascii $a63 = "avwinnt.exe" nocase wide ascii $a64 = "avwupd.exe" nocase wide ascii $a65 = "avwupd32.exe" nocase wide ascii $a66 = "avwupsrv.exe" nocase wide ascii $a67 = "avxmonitor9x.exe" nocase wide ascii $a68 = "avxmonitornt.exe" nocase wide ascii $a69 = "avxquar.exe" nocase wide ascii $a73 = "beagle.exe" nocase wide ascii $a74 = "belt.exe" nocase wide ascii $a75 = "bidef.exe" nocase wide ascii $a76 = "bidserver.exe" nocase wide ascii $a77 = "bipcp.exe" nocase wide ascii $a79 = "bisp.exe" nocase wide ascii $a80 = "blackd.exe" nocase wide ascii $a81 = "blackice.exe" nocase wide ascii $a82 = "blink.exe" nocase wide ascii $a83 = "blss.exe" nocase wide ascii $a84 = "bootconf.exe" nocase wide ascii $a85 = "bootwarn.exe" nocase wide ascii $a86 = "borg2.exe" nocase wide ascii $a87 = "bpc.exe" nocase wide ascii $a89 = "bs120.exe" nocase wide ascii $a90 = "bundle.exe" nocase wide ascii $a91 = "bvt.exe" nocase wide ascii $a92 = "ccapp.exe" nocase wide ascii $a93 = "ccevtmgr.exe" nocase wide ascii $a94 = "ccpxysvc.exe" nocase wide ascii $a95 = "cdp.exe" nocase wide ascii $a96 = "cfd.exe" nocase wide ascii $a97 = "cfgwiz.exe" nocase wide ascii $a98 = "cfiadmin.exe" nocase wide ascii $a99 = "cfiaudit.exe" nocase wide ascii $a100 = "cfinet.exe" nocase wide ascii $a101 = "cfinet32.exe" nocase wide ascii $a102 = "claw95.exe" nocase wide ascii $a103 = "claw95cf.exe" nocase wide ascii $a104 = "clean.exe" nocase wide ascii $a105 = "cleaner.exe" nocase wide ascii $a106 = "cleaner3.exe" nocase wide ascii $a107 = "cleanpc.exe" nocase wide ascii $a108 = "click.exe" nocase wide ascii $a111 = "cmesys.exe" nocase wide ascii $a112 = "cmgrdian.exe" nocase wide ascii $a113 = "cmon016.exe" nocase wide ascii $a114 = "connectionmonitor.exe" nocase wide ascii $a115 = "cpd.exe" nocase wide ascii $a116 = "cpf9x206.exe" nocase wide ascii $a117 = "cpfnt206.exe" nocase wide ascii $a118 = "ctrl.exe" nocase wide ascii fullword $a119 = "cv.exe" nocase wide ascii $a120 = "cwnb181.exe" nocase wide ascii $a121 = "cwntdwmo.exe" nocase wide ascii $a123 = "dcomx.exe" nocase wide ascii $a124 = "defalert.exe" nocase wide ascii $a125 = "defscangui.exe" nocase wide ascii $a126 = "defwatch.exe" nocase wide ascii $a127 = "deputy.exe" nocase wide ascii $a129 = "dllcache.exe" nocase wide ascii $a130 = "dllreg.exe" nocase wide ascii $a132 = "dpf.exe" nocase wide ascii $a134 = "dpps2.exe" nocase wide ascii $a135 = "drwatson.exe" nocase wide ascii $a136 = "drweb32.exe" nocase wide ascii $a137 = "drwebupw.exe" nocase wide ascii $a138 = "dssagent.exe" nocase wide ascii $a139 = "dvp95.exe" nocase wide ascii $a140 = "dvp95_0.exe" nocase wide ascii $a141 = "ecengine.exe" nocase wide ascii $a142 = "efpeadm.exe" nocase wide ascii $a143 = "emsw.exe" nocase wide ascii $a145 = "esafe.exe" nocase wide ascii $a146 = "escanhnt.exe" nocase wide ascii $a147 = "escanv95.exe" nocase wide ascii $a148 = "espwatch.exe" nocase wide ascii $a150 = "etrustcipe.exe" nocase wide ascii $a151 = "evpn.exe" nocase wide ascii $a152 = "exantivirus-cnet.exe" nocase wide ascii $a153 = "exe.avxw.exe" nocase wide ascii $a154 = "expert.exe" nocase wide ascii $a156 = "f-agnt95.exe" nocase wide ascii $a157 = "f-prot.exe" nocase wide ascii $a158 = "f-prot95.exe" nocase wide ascii $a159 = "f-stopw.exe" nocase wide ascii $a160 = "fameh32.exe" nocase wide ascii $a161 = "fast.exe" nocase wide ascii $a162 = "fch32.exe" nocase wide ascii $a163 = "fih32.exe" nocase wide ascii $a164 = "findviru.exe" nocase wide ascii $a165 = "firewall.exe" nocase wide ascii $a166 = "fnrb32.exe" nocase wide ascii $a167 = "fp-win.exe" nocase wide ascii $a169 = "fprot.exe" nocase wide ascii $a170 = "frw.exe" nocase wide ascii $a171 = "fsaa.exe" nocase wide ascii $a172 = "fsav.exe" nocase wide ascii $a173 = "fsav32.exe" nocase wide ascii $a176 = "fsav95.exe" nocase wide ascii $a177 = "fsgk32.exe" nocase wide ascii $a178 = "fsm32.exe" nocase wide ascii $a179 = "fsma32.exe" nocase wide ascii $a180 = "fsmb32.exe" nocase wide ascii $a181 = "gator.exe" nocase wide ascii $a182 = "gbmenu.exe" nocase wide ascii $a183 = "gbpoll.exe" nocase wide ascii $a184 = "generics.exe" nocase wide ascii $a185 = "gmt.exe" nocase wide ascii $a186 = "guard.exe" nocase wide ascii $a187 = "guarddog.exe" nocase wide ascii $a189 = "hbinst.exe" nocase wide ascii $a190 = "hbsrv.exe" nocase wide ascii $a191 = "hotactio.exe" nocase wide ascii $a192 = "hotpatch.exe" nocase wide ascii $a193 = "htlog.exe" nocase wide ascii $a194 = "htpatch.exe" nocase wide ascii $a195 = "hwpe.exe" nocase wide ascii $a196 = "hxdl.exe" nocase wide ascii $a197 = "hxiul.exe" nocase wide ascii $a198 = "iamapp.exe" nocase wide ascii $a199 = "iamserv.exe" nocase wide ascii $a200 = "iamstats.exe" nocase wide ascii $a201 = "ibmasn.exe" nocase wide ascii $a202 = "ibmavsp.exe" nocase wide ascii $a203 = "icload95.exe" nocase wide ascii $a204 = "icloadnt.exe" nocase wide ascii $a205 = "icmon.exe" nocase wide ascii $a206 = "icsupp95.exe" nocase wide ascii $a207 = "icsuppnt.exe" nocase wide ascii $a209 = "iedll.exe" nocase wide ascii $a210 = "iedriver.exe" nocase wide ascii $a212 = "iface.exe" nocase wide ascii $a213 = "ifw2000.exe" nocase wide ascii $a214 = "inetlnfo.exe" nocase wide ascii $a215 = "infus.exe" nocase wide ascii $a216 = "infwin.exe" nocase wide ascii $a218 = "intdel.exe" nocase wide ascii $a219 = "intren.exe" nocase wide ascii $a220 = "iomon98.exe" nocase wide ascii $a221 = "istsvc.exe" nocase wide ascii $a222 = "jammer.exe" nocase wide ascii $a224 = "jedi.exe" nocase wide ascii $a227 = "kavpf.exe" nocase wide ascii $a228 = "kazza.exe" nocase wide ascii $a229 = "keenvalue.exe" nocase wide ascii $a236 = "ldnetmon.exe" nocase wide ascii $a237 = "ldpro.exe" nocase wide ascii $a238 = "ldpromenu.exe" nocase wide ascii $a239 = "ldscan.exe" nocase wide ascii $a240 = "lnetinfo.exe" nocase wide ascii $a242 = "localnet.exe" nocase wide ascii $a243 = "lockdown.exe" nocase wide ascii $a244 = "lockdown2000.exe" nocase wide ascii $a245 = "lookout.exe" nocase wide ascii $a248 = "luall.exe" nocase wide ascii $a249 = "luau.exe" nocase wide ascii $a250 = "lucomserver.exe" nocase wide ascii $a251 = "luinit.exe" nocase wide ascii $a252 = "luspt.exe" nocase wide ascii $a253 = "mapisvc32.exe" nocase wide ascii $a254 = "mcagent.exe" nocase wide ascii $a255 = "mcmnhdlr.exe" nocase wide ascii $a256 = "mcshield.exe" nocase wide ascii $a257 = "mctool.exe" nocase wide ascii $a258 = "mcupdate.exe" nocase wide ascii $a259 = "mcvsrte.exe" nocase wide ascii $a260 = "mcvsshld.exe" nocase wide ascii $a262 = "mfin32.exe" nocase wide ascii $a263 = "mfw2en.exe" nocase wide ascii $a265 = "mgavrtcl.exe" nocase wide ascii $a266 = "mgavrte.exe" nocase wide ascii $a267 = "mghtml.exe" nocase wide ascii $a268 = "mgui.exe" nocase wide ascii $a269 = "minilog.exe" nocase wide ascii $a270 = "mmod.exe" nocase wide ascii $a271 = "monitor.exe" nocase wide ascii $a272 = "moolive.exe" nocase wide ascii $a273 = "mostat.exe" nocase wide ascii $a274 = "mpfagent.exe" nocase wide ascii $a275 = "mpfservice.exe" nocase wide ascii $a276 = "mpftray.exe" nocase wide ascii $a277 = "mrflux.exe" nocase wide ascii $a278 = "msapp.exe" nocase wide ascii $a279 = "msbb.exe" nocase wide ascii $a280 = "msblast.exe" nocase wide ascii $a281 = "mscache.exe" nocase wide ascii $a282 = "msccn32.exe" nocase wide ascii $a283 = "mscman.exe" nocase wide ascii $a285 = "msdm.exe" nocase wide ascii $a286 = "msdos.exe" nocase wide ascii $a287 = "msiexec16.exe" nocase wide ascii $a288 = "msinfo32.exe" nocase wide ascii $a289 = "mslaugh.exe" nocase wide ascii $a290 = "msmgt.exe" nocase wide ascii $a291 = "msmsgri32.exe" nocase wide ascii $a292 = "mssmmc32.exe" nocase wide ascii $a293 = "mssys.exe" nocase wide ascii $a294 = "msvxd.exe" nocase wide ascii $a295 = "mu0311ad.exe" nocase wide ascii $a296 = "mwatch.exe" nocase wide ascii $a297 = "n32scanw.exe" nocase wide ascii $a298 = "nav.exe" nocase wide ascii $a300 = "navapsvc.exe" nocase wide ascii $a301 = "navapw32.exe" nocase wide ascii $a302 = "navdx.exe" nocase wide ascii $a303 = "navlu32.exe" nocase wide ascii $a304 = "navnt.exe" nocase wide ascii $a305 = "navstub.exe" nocase wide ascii $a306 = "navw32.exe" nocase wide ascii $a307 = "navwnt.exe" nocase wide ascii $a308 = "nc2000.exe" nocase wide ascii $a309 = "ncinst4.exe" nocase wide ascii $a310 = "ndd32.exe" nocase wide ascii $a311 = "neomonitor.exe" nocase wide ascii $a312 = "neowatchlog.exe" nocase wide ascii $a313 = "netarmor.exe" nocase wide ascii $a314 = "netd32.exe" nocase wide ascii $a315 = "netinfo.exe" nocase wide ascii $a317 = "netscanpro.exe" nocase wide ascii $a320 = "netutils.exe" nocase wide ascii $a321 = "nisserv.exe" nocase wide ascii $a322 = "nisum.exe" nocase wide ascii $a323 = "nmain.exe" nocase wide ascii $a324 = "nod32.exe" nocase wide ascii $a325 = "normist.exe" nocase wide ascii $a327 = "notstart.exe" nocase wide ascii $a329 = "npfmessenger.exe" nocase wide ascii $a330 = "nprotect.exe" nocase wide ascii $a331 = "npscheck.exe" nocase wide ascii $a332 = "npssvc.exe" nocase wide ascii $a333 = "nsched32.exe" nocase wide ascii $a334 = "nssys32.exe" nocase wide ascii $a335 = "nstask32.exe" nocase wide ascii $a336 = "nsupdate.exe" nocase wide ascii $a338 = "ntrtscan.exe" nocase wide ascii $a340 = "ntxconfig.exe" nocase wide ascii $a341 = "nui.exe" nocase wide ascii $a342 = "nupgrade.exe" nocase wide ascii $a343 = "nvarch16.exe" nocase wide ascii $a344 = "nvc95.exe" nocase wide ascii $a345 = "nvsvc32.exe" nocase wide ascii $a346 = "nwinst4.exe" nocase wide ascii $a347 = "nwservice.exe" nocase wide ascii $a348 = "nwtool16.exe" nocase wide ascii $a350 = "onsrvr.exe" nocase wide ascii $a351 = "optimize.exe" nocase wide ascii $a352 = "ostronet.exe" nocase wide ascii $a353 = "otfix.exe" nocase wide ascii $a354 = "outpost.exe" nocase wide ascii $a360 = "pavcl.exe" nocase wide ascii $a361 = "pavproxy.exe" nocase wide ascii $a362 = "pavsched.exe" nocase wide ascii $a363 = "pavw.exe" nocase wide ascii $a364 = "pccwin98.exe" nocase wide ascii $a365 = "pcfwallicon.exe" nocase wide ascii $a367 = "pcscan.exe" nocase wide ascii $a369 = "periscope.exe" nocase wide ascii $a370 = "persfw.exe" nocase wide ascii $a371 = "perswf.exe" nocase wide ascii $a372 = "pf2.exe" nocase wide ascii $a373 = "pfwadmin.exe" nocase wide ascii $a374 = "pgmonitr.exe" nocase wide ascii $a375 = "pingscan.exe" nocase wide ascii $a376 = "platin.exe" nocase wide ascii $a377 = "pop3trap.exe" nocase wide ascii $a378 = "poproxy.exe" nocase wide ascii $a379 = "popscan.exe" nocase wide ascii $a380 = "portdetective.exe" nocase wide ascii $a381 = "portmonitor.exe" nocase wide ascii $a382 = "powerscan.exe" nocase wide ascii $a383 = "ppinupdt.exe" nocase wide ascii $a384 = "pptbc.exe" nocase wide ascii $a385 = "ppvstop.exe" nocase wide ascii $a387 = "prmt.exe" nocase wide ascii $a388 = "prmvr.exe" nocase wide ascii $a389 = "procdump.exe" nocase wide ascii $a390 = "processmonitor.exe" nocase wide ascii $a392 = "programauditor.exe" nocase wide ascii $a393 = "proport.exe" nocase wide ascii $a394 = "protectx.exe" nocase wide ascii $a395 = "pspf.exe" nocase wide ascii $a396 = "purge.exe" nocase wide ascii $a397 = "qconsole.exe" nocase wide ascii $a398 = "qserver.exe" nocase wide ascii $a399 = "rapapp.exe" nocase wide ascii $a400 = "rav7.exe" nocase wide ascii $a401 = "rav7win.exe" nocase wide ascii $a404 = "rb32.exe" nocase wide ascii $a405 = "rcsync.exe" nocase wide ascii $a406 = "realmon.exe" nocase wide ascii $a407 = "reged.exe" nocase wide ascii $a410 = "rescue.exe" nocase wide ascii $a412 = "rrguard.exe" nocase wide ascii $a413 = "rshell.exe" nocase wide ascii $a414 = "rtvscan.exe" nocase wide ascii $a415 = "rtvscn95.exe" nocase wide ascii $a416 = "rulaunch.exe" nocase wide ascii $a421 = "safeweb.exe" nocase wide ascii $a422 = "sahagent.exe" nocase wide ascii $a424 = "savenow.exe" nocase wide ascii $a425 = "sbserv.exe" nocase wide ascii $a428 = "scan32.exe" nocase wide ascii $a430 = "scanpm.exe" nocase wide ascii $a431 = "scrscan.exe" nocase wide ascii $a435 = "sfc.exe" nocase wide ascii $a436 = "sgssfw32.exe" nocase wide ascii $a439 = "shn.exe" nocase wide ascii $a440 = "showbehind.exe" nocase wide ascii $a441 = "smc.exe" nocase wide ascii $a442 = "sms.exe" nocase wide ascii $a443 = "smss32.exe" nocase wide ascii $a445 = "sofi.exe" nocase wide ascii $a447 = "spf.exe" nocase wide ascii $a449 = "spoler.exe" nocase wide ascii $a450 = "spoolcv.exe" nocase wide ascii $a451 = "spoolsv32.exe" nocase wide ascii $a452 = "spyxx.exe" nocase wide ascii $a453 = "srexe.exe" nocase wide ascii $a454 = "srng.exe" nocase wide ascii $a455 = "ss3edit.exe" nocase wide ascii $a457 = "ssgrate.exe" nocase wide ascii $a458 = "st2.exe" nocase wide ascii fullword $a461 = "supftrl.exe" nocase wide ascii $a470 = "symproxysvc.exe" nocase wide ascii $a471 = "symtray.exe" nocase wide ascii $a472 = "sysedit.exe" nocase wide ascii $a480 = "taumon.exe" nocase wide ascii $a481 = "tbscan.exe" nocase wide ascii $a483 = "tca.exe" nocase wide ascii $a484 = "tcm.exe" nocase wide ascii $a488 = "teekids.exe" nocase wide ascii $a489 = "tfak.exe" nocase wide ascii $a490 = "tfak5.exe" nocase wide ascii $a491 = "tgbob.exe" nocase wide ascii $a492 = "titanin.exe" nocase wide ascii $a493 = "titaninxp.exe" nocase wide ascii $a496 = "trjscan.exe" nocase wide ascii $a500 = "tvmd.exe" nocase wide ascii $a501 = "tvtmd.exe" nocase wide ascii $a513 = "vet32.exe" nocase wide ascii $a514 = "vet95.exe" nocase wide ascii $a515 = "vettray.exe" nocase wide ascii $a517 = "vir-help.exe" nocase wide ascii $a519 = "vnlan300.exe" nocase wide ascii $a520 = "vnpc3000.exe" nocase wide ascii $a521 = "vpc32.exe" nocase wide ascii $a522 = "vpc42.exe" nocase wide ascii $a523 = "vpfw30s.exe" nocase wide ascii $a524 = "vptray.exe" nocase wide ascii $a525 = "vscan40.exe" nocase wide ascii $a527 = "vsched.exe" nocase wide ascii $a528 = "vsecomr.exe" nocase wide ascii $a529 = "vshwin32.exe" nocase wide ascii $a531 = "vsmain.exe" nocase wide ascii $a532 = "vsmon.exe" nocase wide ascii $a533 = "vsstat.exe" nocase wide ascii $a534 = "vswin9xe.exe" nocase wide ascii $a535 = "vswinntse.exe" nocase wide ascii $a536 = "vswinperse.exe" nocase wide ascii $a537 = "w32dsm89.exe" nocase wide ascii $a538 = "w9x.exe" nocase wide ascii $a541 = "webscanx.exe" nocase wide ascii $a543 = "wfindv32.exe" nocase wide ascii $a545 = "wimmun32.exe" nocase wide ascii $a566 = "wnad.exe" nocase wide ascii $a567 = "wnt.exe" nocase wide ascii $a568 = "wradmin.exe" nocase wide ascii $a569 = "wrctrl.exe" nocase wide ascii $a570 = "wsbgate.exe" nocase wide ascii $a573 = "wyvernworksfirewall.exe" nocase wide ascii $a575 = "zapro.exe" nocase wide ascii $a577 = "zatutor.exe" nocase wide ascii $a579 = "zonealarm.exe" nocase wide ascii // Strings from Dubnium below $a580 = "QQPCRTP.exe" nocase wide ascii $a581 = "QQPCTray.exe" nocase wide ascii $a582 = "ZhuDongFangYu.exe" nocase wide ascii $a583 = /360(tray|sd|rp).exe/ nocase wide ascii $a584 = /qh(safetray|watchdog|activedefense).exe/ nocase wide ascii $a585 = "McNASvc.exe" nocase wide ascii $a586 = "MpfSrv.exe" nocase wide ascii $a587 = "McProxy.exe" nocase wide ascii $a588 = "mcmscsvc.exe" nocase wide ascii $a589 = "McUICnt.exe" nocase wide ascii $a590 = /ui(WatchDog|seagnt|winmgr).exe/ nocase wide ascii $a591 = "ufseagnt.exe" nocase wide ascii $a592 = /core(serviceshell|frameworkhost).exe/ nocase wide ascii $a593 = /ay(agent|rtsrv|updsrv).aye/ nocase wide ascii $a594 = /avast(ui|svc).exe/ nocase wide ascii $a595 = /ms(seces|mpeng).exe/ nocase wide ascii $a596 = "afwserv.exe" nocase wide ascii $a597 = "FiddlerUser" condition: any of them } rule VM_Generic_Detection : AntiVM { meta: description = "Tries to detect virtualized environments" strings: $a0 = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii $a1 = "HARDWARE\\Description\\System" nocase wide ascii $a2 = "SYSTEM\\CurrentControlSet\\Control\\SystemInformation" nocase wide ascii $a3 = "SYSTEM\\CurrentControlSet\\Enum\\IDE" nocase wide ascii $redpill = { 0F 01 0D 00 00 00 00 C3 } // Copied from the Cuckoo project // CLSIDs used to detect if speakers are present. Hoping this will not cause false positives. $teslacrypt1 = { D1 29 06 E3 E5 27 CE 11 87 5D 00 60 8C B7 80 66 } // CLSID_AudioRender $teslacrypt2 = { B3 EB 36 E4 4F 52 CE 11 9F 53 00 20 AF 0B A7 70 } // CLSID_FilterGraph condition: any of ($a*) or $redpill or all of ($teslacrypt*) } rule VMWare_Detection : AntiVM { meta: description = "Looks for VMWare presence" author = "Cuckoo project" strings: $a0 = "VMXh" $a1 = "vmware" nocase wide ascii $vmware4 = "hgfs.sys" nocase wide ascii $vmware5 = "mhgfs.sys" nocase wide ascii $vmware6 = "prleth.sys" nocase wide ascii $vmware7 = "prlfs.sys" nocase wide ascii $vmware8 = "prlmouse.sys" nocase wide ascii $vmware9 = "prlvideo.sys" nocase wide ascii $vmware10 = "prl_pv32.sys" nocase wide ascii $vmware11 = "vpc-s3.sys" nocase wide ascii $vmware12 = "vmsrvc.sys" nocase wide ascii $vmware13 = "vmx86.sys" nocase wide ascii $vmware14 = "vmnet.sys" nocase wide ascii $vmware15 = "vmicheartbeat" nocase wide ascii $vmware16 = "vmicvss" nocase wide ascii $vmware17 = "vmicshutdown" nocase wide ascii $vmware18 = "vmicexchange" nocase wide ascii $vmware19 = "vmdebug" nocase wide ascii $vmware20 = "vmmouse" nocase wide ascii $vmware21 = "vmtools" nocase wide ascii $vmware22 = "VMMEMCTL" nocase wide ascii $vmware23 = "vmx86" nocase wide ascii // VMware MAC addresses $vmware_mac_1a = "00-05-69" wide ascii $vmware_mac_1b = "00:05:69" wide ascii $vmware_mac_1c = "000569" wide ascii $vmware_mac_2a = "00-50-56" wide ascii $vmware_mac_2b = "00:50:56" wide ascii $vmware_mac_2c = "005056" wide ascii $vmware_mac_3a = "00-0C-29" nocase wide ascii $vmware_mac_3b = "00:0C:29" nocase wide ascii $vmware_mac_3c = "000C29" nocase wide ascii $vmware_mac_4a = "00-1C-14" nocase wide ascii $vmware_mac_4b = "00:1C:14" nocase wide ascii $vmware_mac_4c = "001C14" nocase wide ascii // PCI Vendor IDs, from Hacking Team's leak $virtualbox_vid_1 = "VEN_15ad" nocase wide ascii condition: any of them } rule Sandboxie_Detection : AntiVM { meta: description = "Looks for Sandboxie presence" author = "Ivan Kwiatkowski (@JusticeRage)" strings: $sbie = "SbieDll.dll" nocase wide ascii $buster = /LOG_API(_VERBOSE)?.DLL/ nocase wide ascii $sbie_process_1 = "SbieSvc.exe" nocase wide ascii $sbie_process_2 = "SbieCtrl.exe" nocase wide ascii $sbie_process_3 = "SandboxieRpcSs.exe" nocase wide ascii $sbie_process_4 = "SandboxieDcomLaunch.exe" nocase wide ascii $sbie_process_5 = "SandboxieCrypto.exe" nocase wide ascii $sbie_process_6 = "SandboxieBITS.exe" nocase wide ascii $sbie_process_7 = "SandboxieWUAU.exe" nocase wide ascii condition: any of them } rule VirtualPC_Detection : AntiVM { meta: description = "Looks for VirtualPC presence" author = "Cuckoo project" strings: $a0 = {0F 3F 07 0B } $virtualpc1 = "vpcbus" nocase wide ascii $virtualpc2 = "vpc-s3" nocase wide ascii $virtualpc3 = "vpcuhub" nocase wide ascii $virtualpc4 = "msvmmouf" nocase wide ascii condition: any of them } rule VirtualBox_Detection : AntiVM { meta: description = "Looks for VirtualBox presence" author = "Cuckoo project" strings: $virtualbox1 = "VBoxHook.dll" nocase wide ascii $virtualbox2 = "VBoxService" nocase wide ascii $virtualbox3 = "VBoxTray" nocase wide ascii $virtualbox4 = "VBoxMouse" nocase wide ascii $virtualbox5 = "VBoxGuest" nocase wide ascii $virtualbox6 = "VBoxSF" nocase wide ascii $virtualbox7 = "VBoxGuestAdditions" nocase wide ascii $virtualbox8 = "VBOX HARDDISK" nocase wide ascii $virtualbox9 = "vboxservice" nocase wide ascii $virtualbox10 = "vboxtray" nocase wide ascii // MAC addresses $virtualbox_mac_1a = "08-00-27" $virtualbox_mac_1b = "08:00:27" $virtualbox_mac_1c = "080027" // PCI Vendor IDs, from Hacking Team's leak $virtualbox_vid_1 = "VEN_80EE" nocase wide ascii // Registry keys $virtualbox_reg_1 = "SOFTWARE\\Oracle\\VirtualBox Guest Additions" nocase wide ascii $virtualbox_reg_2 = /HARDWARE\\ACPI\\(DSDT|FADT|RSDT)\\VBOX__/ nocase wide ascii // Other $virtualbox_files = /C:\\Windows\\System32\\drivers\\vbox.{15}\.(sys|dll)/ nocase wide ascii $virtualbox_services = "System\\ControlSet001\\Services\\VBox[A-Za-z]+" nocase wide ascii $virtualbox_pipe = /\\\\.\\pipe\\(VBoxTrayIPC|VBoxMiniRdDN)/ nocase wide ascii $virtualbox_window = /VBoxTrayToolWnd(Class)?/ nocase wide ascii condition: any of them } rule Parallels_Detection : AntiVM { meta: description = "Looks for Parallels presence" strings: $a0 = "magi" $a1 = "c!nu" $a2 = "mber" // PCI Vendor IDs, from Hacking Team's leak $parallels_vid_1 = "VEN_80EE" nocase wide ascii condition: all of them } rule Qemu_Detection : AntiVM { meta: description = "Looks for Qemu presence" strings: $a0 = "qemu" nocase wide ascii condition: any of them } rule Dropper_Strings { meta: description = "May have dropper capabilities" author = "Ivan Kwiatkowski (@JusticeRage)" strings: $a0 = "CurrentVersion\\Run" nocase wide ascii $a1 = "CurrentControlSet\\Services" nocase wide ascii $a2 = "Programs\\Startup" nocase wide ascii $a3 = "%temp%" nocase wide ascii $a4 = "%allusersprofile%" nocase wide ascii condition: any of them } rule AutoIT_compiled_script { meta: description = "Is an AutoIT compiled script" author = "Ivan Kwiatkowski (@JusticeRage)" strings: $a0 = "AutoIt Error" ascii wide $a1 = "reserved for AutoIt internal use" ascii wide condition: any of them } rule WMI_strings { meta: description = "Accesses the WMI" author = "Ivan Kwiatkowski (@JusticeRage)" strings: // WMI namespaces which may be referenced in the ConnectServer call. All in the form of "ROOT\something" $a0 = /ROOT\\(CIMV2|AccessLogging|ADFS|aspnet|Cli|Hardware|interop|InventoryLogging|Microsoft.{10}|Policy|RSOP|SECURITY|ServiceModel|snmpStandardCimv2|subscription|virtualization|WebAdministration|WMI)/ nocase ascii wide condition: any of them } rule Obfuscated_Strings { meta: description = "Contains obfuscated function names" author = "Ivan Kwiatkowski (@JusticeRage)" strings: $a0 = { (46 | 66) 64 75 (51 | 71) 73 6E 62 (40 | 60) 65 65 73 64 72 72 } // [Gg]et[Pp]roc[Aa]ddress XOR 0x01 $a1 = { (45 | 65) 67 76 (52 | 72) 70 6D 61 (43 | 63) 66 66 70 67 71 71 } // GetProcAddress XOR 0x02 $a2 = { (44 | 64) 66 77 (53 | 73) 71 6C 60 (42 | 62) 67 67 71 66 70 70 } // etc... $a3 = { (43 | 63) 61 70 (54 | 74) 76 6B 67 (45 | 65) 60 60 76 61 77 77 } $a4 = { (42 | 62) 60 71 (55 | 75) 77 6A 66 (44 | 64) 61 61 77 60 76 76 } $a5 = { (41 | 61) 63 72 (56 | 76) 74 69 65 (47 | 67) 62 62 74 63 75 75 } $a6 = { (40 | 60) 62 73 (57 | 77) 75 68 64 (46 | 66) 63 63 75 62 74 74 } $a7 = { (4F | 6F) 6D 7C (58 | 78) 7A 67 6B (49 | 69) 6C 6C 7A 6D 7B 7B } $a8 = { (4E | 6E) 6C 7D (59 | 79) 7B 66 6A (48 | 68) 6D 6D 7B 6C 7A 7A } $a9 = { (4D | 6D) 6F 7E (5A | 7A) 78 65 69 (4B | 6B) 6E 6E 78 6F 79 79 } $a10 = { (4C | 6C) 6E 7F (5B | 7B) 79 64 68 (4A | 6A) 6F 6F 79 6E 78 78 } $a11 = { (4B | 6B) 69 78 (5C | 7C) 7E 63 6F (4D | 6D) 68 68 7E 69 7F 7F } $a12 = { (4A | 6A) 68 79 (5D | 7D) 7F 62 6E (4C | 6C) 69 69 7F 68 7E 7E } $a13 = { (49 | 69) 6B 7A (5E | 7E) 7C 61 6D (4F | 6F) 6A 6A 7C 6B 7D 7D } $a14 = { (48 | 68) 6A 7B (5F | 7F) 7D 60 6C (4E | 6E) 6B 6B 7D 6A 7C 7C } $a15 = { (57 | 77) 75 64 (40 | 60) 62 7F 73 (51 | 71) 74 74 62 75 63 63 } $a16 = { (56 | 76) 74 65 (41 | 61) 63 7E 72 (50 | 70) 75 75 63 74 62 62 } $a17 = { (55 | 75) 77 66 (42 | 62) 60 7D 71 (53 | 73) 76 76 60 77 61 61 } $a18 = { (54 | 74) 76 67 (43 | 63) 61 7C 70 (52 | 72) 77 77 61 76 60 60 } $a19 = { (53 | 73) 71 60 (44 | 64) 66 7B 77 (55 | 75) 70 70 66 71 67 67 } $a20 = { (52 | 72) 70 61 (45 | 65) 67 7A 76 (54 | 74) 71 71 67 70 66 66 } $a21 = { (51 | 71) 73 62 (46 | 66) 64 79 75 (57 | 77) 72 72 64 73 65 65 } $a22 = { (50 | 70) 72 63 (47 | 67) 65 78 74 (56 | 76) 73 73 65 72 64 64 } $a23 = { (5F | 7F) 7D 6C (48 | 68) 6A 77 7B (59 | 79) 7C 7C 6A 7D 6B 6B } $a24 = { (5E | 7E) 7C 6D (49 | 69) 6B 76 7A (58 | 78) 7D 7D 6B 7C 6A 6A } $a25 = { (5D | 7D) 7F 6E (4A | 6A) 68 75 79 (5B | 7B) 7E 7E 68 7F 69 69 } $a26 = { (5C | 7C) 7E 6F (4B | 6B) 69 74 78 (5A | 7A) 7F 7F 69 7E 68 68 } $a27 = { (5B | 7B) 79 68 (4C | 6C) 6E 73 7F (5D | 7D) 78 78 6E 79 6F 6F } $a28 = { (5A | 7A) 78 69 (4D | 6D) 6F 72 7E (5C | 7C) 79 79 6F 78 6E 6E } $a29 = { (59 | 79) 7B 6A (4E | 6E) 6C 71 7D (5F | 7F) 7A 7A 6C 7B 6D 6D } $a30 = { (58 | 78) 7A 6B (4F | 6F) 6D 70 7C (5E | 7E) 7B 7B 6D 7A 6C 6C } // XOR 0x20 removed because it toggles capitalization and causes [Gg]ET[Pp]ROC[Aa]DDRESS to match. $a32 = { (66 | 46) 44 55 (71 | 51) 53 4E 42 (60 | 40) 45 45 53 44 52 52 } $a33 = { (65 | 45) 47 56 (72 | 52) 50 4D 41 (63 | 43) 46 46 50 47 51 51 } $a34 = { (64 | 44) 46 57 (73 | 53) 51 4C 40 (62 | 42) 47 47 51 46 50 50 } $a35 = { (63 | 43) 41 50 (74 | 54) 56 4B 47 (65 | 45) 40 40 56 41 57 57 } $a36 = { (62 | 42) 40 51 (75 | 55) 57 4A 46 (64 | 44) 41 41 57 40 56 56 } $a37 = { (61 | 41) 43 52 (76 | 56) 54 49 45 (67 | 47) 42 42 54 43 55 55 } $a38 = { (60 | 40) 42 53 (77 | 57) 55 48 44 (66 | 46) 43 43 55 42 54 54 } $a39 = { (6F | 4F) 4D 5C (78 | 58) 5A 47 4B (69 | 49) 4C 4C 5A 4D 5B 5B } $a40 = { (6E | 4E) 4C 5D (79 | 59) 5B 46 4A (68 | 48) 4D 4D 5B 4C 5A 5A } $a41 = { (6D | 4D) 4F 5E (7A | 5A) 58 45 49 (6B | 4B) 4E 4E 58 4F 59 59 } $a42 = { (6C | 4C) 4E 5F (7B | 5B) 59 44 48 (6A | 4A) 4F 4F 59 4E 58 58 } $a43 = { (6B | 4B) 49 58 (7C | 5C) 5E 43 4F (6D | 4D) 48 48 5E 49 5F 5F } $a44 = { (6A | 4A) 48 59 (7D | 5D) 5F 42 4E (6C | 4C) 49 49 5F 48 5E 5E } $a45 = { (69 | 49) 4B 5A (7E | 5E) 5C 41 4D (6F | 4F) 4A 4A 5C 4B 5D 5D } $a46 = { (68 | 48) 4A 5B (7F | 5F) 5D 40 4C (6E | 4E) 4B 4B 5D 4A 5C 5C } $a47 = { (77 | 57) 55 44 (60 | 40) 42 5F 53 (71 | 51) 54 54 42 55 43 43 } $a48 = { (76 | 56) 54 45 (61 | 41) 43 5E 52 (70 | 50) 55 55 43 54 42 42 } $a49 = { (75 | 55) 57 46 (62 | 42) 40 5D 51 (73 | 53) 56 56 40 57 41 41 } $a50 = { (74 | 54) 56 47 (63 | 43) 41 5C 50 (72 | 52) 57 57 41 56 40 40 } $a51 = { (73 | 53) 51 40 (64 | 44) 46 5B 57 (75 | 55) 50 50 46 51 47 47 } $a52 = { (72 | 52) 50 41 (65 | 45) 47 5A 56 (74 | 54) 51 51 47 50 46 46 } $a53 = { (71 | 51) 53 42 (66 | 46) 44 59 55 (77 | 57) 52 52 44 53 45 45 } $a54 = { (70 | 50) 52 43 (67 | 47) 45 58 54 (76 | 56) 53 53 45 52 44 44 } $a55 = { (7F | 5F) 5D 4C (68 | 48) 4A 57 5B (79 | 59) 5C 5C 4A 5D 4B 4B } $a56 = { (7E | 5E) 5C 4D (69 | 49) 4B 56 5A (78 | 58) 5D 5D 4B 5C 4A 4A } $a57 = { (7D | 5D) 5F 4E (6A | 4A) 48 55 59 (7B | 5B) 5E 5E 48 5F 49 49 } $a58 = { (7C | 5C) 5E 4F (6B | 4B) 49 54 58 (7A | 5A) 5F 5F 49 5E 48 48 } $a59 = { (7B | 5B) 59 48 (6C | 4C) 4E 53 5F (7D | 5D) 58 58 4E 59 4F 4F } $a60 = { (7A | 5A) 58 49 (6D | 4D) 4F 52 5E (7C | 5C) 59 59 4F 58 4E 4E } $a61 = { (79 | 59) 5B 4A (6E | 4E) 4C 51 5D (7F | 5F) 5A 5A 4C 5B 4D 4D } $a62 = { (78 | 58) 5A 4B (6F | 4F) 4D 50 5C (7E | 5E) 5B 5B 4D 5A 4C 4C } $a63 = { (07 | 27) 25 34 (10 | 30) 32 2F 23 (01 | 21) 24 24 32 25 33 33 } $a64 = { (06 | 26) 24 35 (11 | 31) 33 2E 22 (00 | 20) 25 25 33 24 32 32 } $a65 = { (05 | 25) 27 36 (12 | 32) 30 2D 21 (03 | 23) 26 26 30 27 31 31 } $a66 = { (04 | 24) 26 37 (13 | 33) 31 2C 20 (02 | 22) 27 27 31 26 30 30 } $a67 = { (03 | 23) 21 30 (14 | 34) 36 2B 27 (05 | 25) 20 20 36 21 37 37 } $a68 = { (02 | 22) 20 31 (15 | 35) 37 2A 26 (04 | 24) 21 21 37 20 36 36 } $a69 = { (01 | 21) 23 32 (16 | 36) 34 29 25 (07 | 27) 22 22 34 23 35 35 } $a70 = { (00 | 20) 22 33 (17 | 37) 35 28 24 (06 | 26) 23 23 35 22 34 34 } $a71 = { (0F | 2F) 2D 3C (18 | 38) 3A 27 2B (09 | 29) 2C 2C 3A 2D 3B 3B } $a72 = { (0E | 2E) 2C 3D (19 | 39) 3B 26 2A (08 | 28) 2D 2D 3B 2C 3A 3A } $a73 = { (0D | 2D) 2F 3E (1A | 3A) 38 25 29 (0B | 2B) 2E 2E 38 2F 39 39 } $a74 = { (0C | 2C) 2E 3F (1B | 3B) 39 24 28 (0A | 2A) 2F 2F 39 2E 38 38 } $a75 = { (0B | 2B) 29 38 (1C | 3C) 3E 23 2F (0D | 2D) 28 28 3E 29 3F 3F } $a76 = { (0A | 2A) 28 39 (1D | 3D) 3F 22 2E (0C | 2C) 29 29 3F 28 3E 3E } $a77 = { (09 | 29) 2B 3A (1E | 3E) 3C 21 2D (0F | 2F) 2A 2A 3C 2B 3D 3D } $a78 = { (08 | 28) 2A 3B (1F | 3F) 3D 20 2C (0E | 2E) 2B 2B 3D 2A 3C 3C } $a79 = { (17 | 37) 35 24 (00 | 20) 22 3F 33 (11 | 31) 34 34 22 35 23 23 } $a80 = { (16 | 36) 34 25 (01 | 21) 23 3E 32 (10 | 30) 35 35 23 34 22 22 } $a81 = { (15 | 35) 37 26 (02 | 22) 20 3D 31 (13 | 33) 36 36 20 37 21 21 } $a82 = { (14 | 34) 36 27 (03 | 23) 21 3C 30 (12 | 32) 37 37 21 36 20 20 } $a83 = { (13 | 33) 31 20 (04 | 24) 26 3B 37 (15 | 35) 30 30 26 31 27 27 } $a84 = { (12 | 32) 30 21 (05 | 25) 27 3A 36 (14 | 34) 31 31 27 30 26 26 } $a85 = { (11 | 31) 33 22 (06 | 26) 24 39 35 (17 | 37) 32 32 24 33 25 25 } $a86 = { (10 | 30) 32 23 (07 | 27) 25 38 34 (16 | 36) 33 33 25 32 24 24 } $a87 = { (1F | 3F) 3D 2C (08 | 28) 2A 37 3B (19 | 39) 3C 3C 2A 3D 2B 2B } $a88 = { (1E | 3E) 3C 2D (09 | 29) 2B 36 3A (18 | 38) 3D 3D 2B 3C 2A 2A } $a89 = { (1D | 3D) 3F 2E (0A | 2A) 28 35 39 (1B | 3B) 3E 3E 28 3F 29 29 } $a90 = { (1C | 3C) 3E 2F (0B | 2B) 29 34 38 (1A | 3A) 3F 3F 29 3E 28 28 } $a91 = { (1B | 3B) 39 28 (0C | 2C) 2E 33 3F (1D | 3D) 38 38 2E 39 2F 2F } $a92 = { (1A | 3A) 38 29 (0D | 2D) 2F 32 3E (1C | 3C) 39 39 2F 38 2E 2E } $a93 = { (19 | 39) 3B 2A (0E | 2E) 2C 31 3D (1F | 3F) 3A 3A 2C 3B 2D 2D } $a94 = { (18 | 38) 3A 2B (0F | 2F) 2D 30 3C (1E | 3E) 3B 3B 2D 3A 2C 2C } $a95 = { (27 | 07) 05 14 (30 | 10) 12 0F 03 (21 | 01) 04 04 12 05 13 13 } $a96 = { (26 | 06) 04 15 (31 | 11) 13 0E 02 (20 | 00) 05 05 13 04 12 12 } $a97 = { (25 | 05) 07 16 (32 | 12) 10 0D 01 (23 | 03) 06 06 10 07 11 11 } $a98 = { (24 | 04) 06 17 (33 | 13) 11 0C 00 (22 | 02) 07 07 11 06 10 10 } $a99 = { (23 | 03) 01 10 (34 | 14) 16 0B 07 (25 | 05) 00 00 16 01 17 17 } $a100 = { (22 | 02) 00 11 (35 | 15) 17 0A 06 (24 | 04) 01 01 17 00 16 16 } $a101 = { (21 | 01) 03 12 (36 | 16) 14 09 05 (27 | 07) 02 02 14 03 15 15 } $a102 = { (20 | 00) 02 13 (37 | 17) 15 08 04 (26 | 06) 03 03 15 02 14 14 } $a103 = { (2F | 0F) 0D 1C (38 | 18) 1A 07 0B (29 | 09) 0C 0C 1A 0D 1B 1B } $a104 = { (2E | 0E) 0C 1D (39 | 19) 1B 06 0A (28 | 08) 0D 0D 1B 0C 1A 1A } $a105 = { (2D | 0D) 0F 1E (3A | 1A) 18 05 09 (2B | 0B) 0E 0E 18 0F 19 19 } $a106 = { (2C | 0C) 0E 1F (3B | 1B) 19 04 08 (2A | 0A) 0F 0F 19 0E 18 18 } $a107 = { (2B | 0B) 09 18 (3C | 1C) 1E 03 0F (2D | 0D) 08 08 1E 09 1F 1F } $a108 = { (2A | 0A) 08 19 (3D | 1D) 1F 02 0E (2C | 0C) 09 09 1F 08 1E 1E } $a109 = { (29 | 09) 0B 1A (3E | 1E) 1C 01 0D (2F | 0F) 0A 0A 1C 0B 1D 1D } $a110 = { (28 | 08) 0A 1B (3F | 1F) 1D 00 0C (2E | 0E) 0B 0B 1D 0A 1C 1C } $a111 = { (37 | 17) 15 04 (20 | 00) 02 1F 13 (31 | 11) 14 14 02 15 03 03 } $a112 = { (36 | 16) 14 05 (21 | 01) 03 1E 12 (30 | 10) 15 15 03 14 02 02 } $a113 = { (35 | 15) 17 06 (22 | 02) 00 1D 11 (33 | 13) 16 16 00 17 01 01 } $a114 = { (34 | 14) 16 07 (23 | 03) 01 1C 10 (32 | 12) 17 17 01 16 00 00 } $a115 = { (33 | 13) 11 00 (24 | 04) 06 1B 17 (35 | 15) 10 10 06 11 07 07 } $a116 = { (32 | 12) 10 01 (25 | 05) 07 1A 16 (34 | 14) 11 11 07 10 06 06 } $a117 = { (31 | 11) 13 02 (26 | 06) 04 19 15 (37 | 17) 12 12 04 13 05 05 } $a118 = { (30 | 10) 12 03 (27 | 07) 05 18 14 (36 | 16) 13 13 05 12 04 04 } $a119 = { (3F | 1F) 1D 0C (28 | 08) 0A 17 1B (39 | 19) 1C 1C 0A 1D 0B 0B } $a120 = { (3E | 1E) 1C 0D (29 | 09) 0B 16 1A (38 | 18) 1D 1D 0B 1C 0A 0A } $a121 = { (3D | 1D) 1F 0E (2A | 0A) 08 15 19 (3B | 1B) 1E 1E 08 1F 09 09 } $a122 = { (3C | 1C) 1E 0F (2B | 0B) 09 14 18 (3A | 1A) 1F 1F 09 1E 08 08 } $a123 = { (3B | 1B) 19 08 (2C | 0C) 0E 13 1F (3D | 1D) 18 18 0E 19 0F 0F } $a124 = { (3A | 1A) 18 09 (2D | 0D) 0F 12 1E (3C | 1C) 19 19 0F 18 0E 0E } $a125 = { (39 | 19) 1B 0A (2E | 0E) 0C 11 1D (3F | 1F) 1A 1A 0C 1B 0D 0D } $a126 = { (38 | 18) 1A 0B (2F | 0F) 0D 10 1C (3E | 1E) 1B 1B 0D 1A 0C 0C } $a127 = { (C7 | E7) E5 F4 (D0 | F0) F2 EF E3 (C1 | E1) E4 E4 F2 E5 F3 F3 } $a128 = { (C6 | E6) E4 F5 (D1 | F1) F3 EE E2 (C0 | E0) E5 E5 F3 E4 F2 F2 } $a129 = { (C5 | E5) E7 F6 (D2 | F2) F0 ED E1 (C3 | E3) E6 E6 F0 E7 F1 F1 } $a130 = { (C4 | E4) E6 F7 (D3 | F3) F1 EC E0 (C2 | E2) E7 E7 F1 E6 F0 F0 } $a131 = { (C3 | E3) E1 F0 (D4 | F4) F6 EB E7 (C5 | E5) E0 E0 F6 E1 F7 F7 } $a132 = { (C2 | E2) E0 F1 (D5 | F5) F7 EA E6 (C4 | E4) E1 E1 F7 E0 F6 F6 } $a133 = { (C1 | E1) E3 F2 (D6 | F6) F4 E9 E5 (C7 | E7) E2 E2 F4 E3 F5 F5 } $a134 = { (C0 | E0) E2 F3 (D7 | F7) F5 E8 E4 (C6 | E6) E3 E3 F5 E2 F4 F4 } $a135 = { (CF | EF) ED FC (D8 | F8) FA E7 EB (C9 | E9) EC EC FA ED FB FB } $a136 = { (CE | EE) EC FD (D9 | F9) FB E6 EA (C8 | E8) ED ED FB EC FA FA } $a137 = { (CD | ED) EF FE (DA | FA) F8 E5 E9 (CB | EB) EE EE F8 EF F9 F9 } $a138 = { (CC | EC) EE FF (DB | FB) F9 E4 E8 (CA | EA) EF EF F9 EE F8 F8 } $a139 = { (CB | EB) E9 F8 (DC | FC) FE E3 EF (CD | ED) E8 E8 FE E9 FF FF } $a140 = { (CA | EA) E8 F9 (DD | FD) FF E2 EE (CC | EC) E9 E9 FF E8 FE FE } $a141 = { (C9 | E9) EB FA (DE | FE) FC E1 ED (CF | EF) EA EA FC EB FD FD } $a142 = { (C8 | E8) EA FB (DF | FF) FD E0 EC (CE | EE) EB EB FD EA FC FC } $a143 = { (D7 | F7) F5 E4 (C0 | E0) E2 FF F3 (D1 | F1) F4 F4 E2 F5 E3 E3 } $a144 = { (D6 | F6) F4 E5 (C1 | E1) E3 FE F2 (D0 | F0) F5 F5 E3 F4 E2 E2 } $a145 = { (D5 | F5) F7 E6 (C2 | E2) E0 FD F1 (D3 | F3) F6 F6 E0 F7 E1 E1 } $a146 = { (D4 | F4) F6 E7 (C3 | E3) E1 FC F0 (D2 | F2) F7 F7 E1 F6 E0 E0 } $a147 = { (D3 | F3) F1 E0 (C4 | E4) E6 FB F7 (D5 | F5) F0 F0 E6 F1 E7 E7 } $a148 = { (D2 | F2) F0 E1 (C5 | E5) E7 FA F6 (D4 | F4) F1 F1 E7 F0 E6 E6 } $a149 = { (D1 | F1) F3 E2 (C6 | E6) E4 F9 F5 (D7 | F7) F2 F2 E4 F3 E5 E5 } $a150 = { (D0 | F0) F2 E3 (C7 | E7) E5 F8 F4 (D6 | F6) F3 F3 E5 F2 E4 E4 } $a151 = { (DF | FF) FD EC (C8 | E8) EA F7 FB (D9 | F9) FC FC EA FD EB EB } $a152 = { (DE | FE) FC ED (C9 | E9) EB F6 FA (D8 | F8) FD FD EB FC EA EA } $a153 = { (DD | FD) FF EE (CA | EA) E8 F5 F9 (DB | FB) FE FE E8 FF E9 E9 } $a154 = { (DC | FC) FE EF (CB | EB) E9 F4 F8 (DA | FA) FF FF E9 FE E8 E8 } $a155 = { (DB | FB) F9 E8 (CC | EC) EE F3 FF (DD | FD) F8 F8 EE F9 EF EF } $a156 = { (DA | FA) F8 E9 (CD | ED) EF F2 FE (DC | FC) F9 F9 EF F8 EE EE } $a157 = { (D9 | F9) FB EA (CE | EE) EC F1 FD (DF | FF) FA FA EC FB ED ED } $a158 = { (D8 | F8) FA EB (CF | EF) ED F0 FC (DE | FE) FB FB ED FA EC EC } $a159 = { (E7 | C7) C5 D4 (F0 | D0) D2 CF C3 (E1 | C1) C4 C4 D2 C5 D3 D3 } $a160 = { (E6 | C6) C4 D5 (F1 | D1) D3 CE C2 (E0 | C0) C5 C5 D3 C4 D2 D2 } $a161 = { (E5 | C5) C7 D6 (F2 | D2) D0 CD C1 (E3 | C3) C6 C6 D0 C7 D1 D1 } $a162 = { (E4 | C4) C6 D7 (F3 | D3) D1 CC C0 (E2 | C2) C7 C7 D1 C6 D0 D0 } $a163 = { (E3 | C3) C1 D0 (F4 | D4) D6 CB C7 (E5 | C5) C0 C0 D6 C1 D7 D7 } $a164 = { (E2 | C2) C0 D1 (F5 | D5) D7 CA C6 (E4 | C4) C1 C1 D7 C0 D6 D6 } $a165 = { (E1 | C1) C3 D2 (F6 | D6) D4 C9 C5 (E7 | C7) C2 C2 D4 C3 D5 D5 } $a166 = { (E0 | C0) C2 D3 (F7 | D7) D5 C8 C4 (E6 | C6) C3 C3 D5 C2 D4 D4 } $a167 = { (EF | CF) CD DC (F8 | D8) DA C7 CB (E9 | C9) CC CC DA CD DB DB } $a168 = { (EE | CE) CC DD (F9 | D9) DB C6 CA (E8 | C8) CD CD DB CC DA DA } $a169 = { (ED | CD) CF DE (FA | DA) D8 C5 C9 (EB | CB) CE CE D8 CF D9 D9 } $a170 = { (EC | CC) CE DF (FB | DB) D9 C4 C8 (EA | CA) CF CF D9 CE D8 D8 } $a171 = { (EB | CB) C9 D8 (FC | DC) DE C3 CF (ED | CD) C8 C8 DE C9 DF DF } $a172 = { (EA | CA) C8 D9 (FD | DD) DF C2 CE (EC | CC) C9 C9 DF C8 DE DE } $a173 = { (E9 | C9) CB DA (FE | DE) DC C1 CD (EF | CF) CA CA DC CB DD DD } $a174 = { (E8 | C8) CA DB (FF | DF) DD C0 CC (EE | CE) CB CB DD CA DC DC } $a175 = { (F7 | D7) D5 C4 (E0 | C0) C2 DF D3 (F1 | D1) D4 D4 C2 D5 C3 C3 } $a176 = { (F6 | D6) D4 C5 (E1 | C1) C3 DE D2 (F0 | D0) D5 D5 C3 D4 C2 C2 } $a177 = { (F5 | D5) D7 C6 (E2 | C2) C0 DD D1 (F3 | D3) D6 D6 C0 D7 C1 C1 } $a178 = { (F4 | D4) D6 C7 (E3 | C3) C1 DC D0 (F2 | D2) D7 D7 C1 D6 C0 C0 } $a179 = { (F3 | D3) D1 C0 (E4 | C4) C6 DB D7 (F5 | D5) D0 D0 C6 D1 C7 C7 } $a180 = { (F2 | D2) D0 C1 (E5 | C5) C7 DA D6 (F4 | D4) D1 D1 C7 D0 C6 C6 } $a181 = { (F1 | D1) D3 C2 (E6 | C6) C4 D9 D5 (F7 | D7) D2 D2 C4 D3 C5 C5 } $a182 = { (F0 | D0) D2 C3 (E7 | C7) C5 D8 D4 (F6 | D6) D3 D3 C5 D2 C4 C4 } $a183 = { (FF | DF) DD CC (E8 | C8) CA D7 DB (F9 | D9) DC DC CA DD CB CB } $a184 = { (FE | DE) DC CD (E9 | C9) CB D6 DA (F8 | D8) DD DD CB DC CA CA } $a185 = { (FD | DD) DF CE (EA | CA) C8 D5 D9 (FB | DB) DE DE C8 DF C9 C9 } $a186 = { (FC | DC) DE CF (EB | CB) C9 D4 D8 (FA | DA) DF DF C9 DE C8 C8 } $a187 = { (FB | DB) D9 C8 (EC | CC) CE D3 DF (FD | DD) D8 D8 CE D9 CF CF } $a188 = { (FA | DA) D8 C9 (ED | CD) CF D2 DE (FC | DC) D9 D9 CF D8 CE CE } $a189 = { (F9 | D9) DB CA (EE | CE) CC D1 DD (FF | DF) DA DA CC DB CD CD } $a190 = { (F8 | D8) DA CB (EF | CF) CD D0 DC (FE | DE) DB DB CD DA CC CC } $a191 = { (87 | A7) A5 B4 (90 | B0) B2 AF A3 (81 | A1) A4 A4 B2 A5 B3 B3 } $a192 = { (86 | A6) A4 B5 (91 | B1) B3 AE A2 (80 | A0) A5 A5 B3 A4 B2 B2 } $a193 = { (85 | A5) A7 B6 (92 | B2) B0 AD A1 (83 | A3) A6 A6 B0 A7 B1 B1 } $a194 = { (84 | A4) A6 B7 (93 | B3) B1 AC A0 (82 | A2) A7 A7 B1 A6 B0 B0 } $a195 = { (83 | A3) A1 B0 (94 | B4) B6 AB A7 (85 | A5) A0 A0 B6 A1 B7 B7 } $a196 = { (82 | A2) A0 B1 (95 | B5) B7 AA A6 (84 | A4) A1 A1 B7 A0 B6 B6 } $a197 = { (81 | A1) A3 B2 (96 | B6) B4 A9 A5 (87 | A7) A2 A2 B4 A3 B5 B5 } $a198 = { (80 | A0) A2 B3 (97 | B7) B5 A8 A4 (86 | A6) A3 A3 B5 A2 B4 B4 } $a199 = { (8F | AF) AD BC (98 | B8) BA A7 AB (89 | A9) AC AC BA AD BB BB } $a200 = { (8E | AE) AC BD (99 | B9) BB A6 AA (88 | A8) AD AD BB AC BA BA } $a201 = { (8D | AD) AF BE (9A | BA) B8 A5 A9 (8B | AB) AE AE B8 AF B9 B9 } $a202 = { (8C | AC) AE BF (9B | BB) B9 A4 A8 (8A | AA) AF AF B9 AE B8 B8 } $a203 = { (8B | AB) A9 B8 (9C | BC) BE A3 AF (8D | AD) A8 A8 BE A9 BF BF } $a204 = { (8A | AA) A8 B9 (9D | BD) BF A2 AE (8C | AC) A9 A9 BF A8 BE BE } $a205 = { (89 | A9) AB BA (9E | BE) BC A1 AD (8F | AF) AA AA BC AB BD BD } $a206 = { (88 | A8) AA BB (9F | BF) BD A0 AC (8E | AE) AB AB BD AA BC BC } $a207 = { (97 | B7) B5 A4 (80 | A0) A2 BF B3 (91 | B1) B4 B4 A2 B5 A3 A3 } $a208 = { (96 | B6) B4 A5 (81 | A1) A3 BE B2 (90 | B0) B5 B5 A3 B4 A2 A2 } $a209 = { (95 | B5) B7 A6 (82 | A2) A0 BD B1 (93 | B3) B6 B6 A0 B7 A1 A1 } $a210 = { (94 | B4) B6 A7 (83 | A3) A1 BC B0 (92 | B2) B7 B7 A1 B6 A0 A0 } $a211 = { (93 | B3) B1 A0 (84 | A4) A6 BB B7 (95 | B5) B0 B0 A6 B1 A7 A7 } $a212 = { (92 | B2) B0 A1 (85 | A5) A7 BA B6 (94 | B4) B1 B1 A7 B0 A6 A6 } $a213 = { (91 | B1) B3 A2 (86 | A6) A4 B9 B5 (97 | B7) B2 B2 A4 B3 A5 A5 } $a214 = { (90 | B0) B2 A3 (87 | A7) A5 B8 B4 (96 | B6) B3 B3 A5 B2 A4 A4 } $a215 = { (9F | BF) BD AC (88 | A8) AA B7 BB (99 | B9) BC BC AA BD AB AB } $a216 = { (9E | BE) BC AD (89 | A9) AB B6 BA (98 | B8) BD BD AB BC AA AA } $a217 = { (9D | BD) BF AE (8A | AA) A8 B5 B9 (9B | BB) BE BE A8 BF A9 A9 } $a218 = { (9C | BC) BE AF (8B | AB) A9 B4 B8 (9A | BA) BF BF A9 BE A8 A8 } $a219 = { (9B | BB) B9 A8 (8C | AC) AE B3 BF (9D | BD) B8 B8 AE B9 AF AF } $a220 = { (9A | BA) B8 A9 (8D | AD) AF B2 BE (9C | BC) B9 B9 AF B8 AE AE } $a221 = { (99 | B9) BB AA (8E | AE) AC B1 BD (9F | BF) BA BA AC BB AD AD } $a222 = { (98 | B8) BA AB (8F | AF) AD B0 BC (9E | BE) BB BB AD BA AC AC } $a223 = { (A7 | 87) 85 94 (B0 | 90) 92 8F 83 (A1 | 81) 84 84 92 85 93 93 } $a224 = { (A6 | 86) 84 95 (B1 | 91) 93 8E 82 (A0 | 80) 85 85 93 84 92 92 } $a225 = { (A5 | 85) 87 96 (B2 | 92) 90 8D 81 (A3 | 83) 86 86 90 87 91 91 } $a226 = { (A4 | 84) 86 97 (B3 | 93) 91 8C 80 (A2 | 82) 87 87 91 86 90 90 } $a227 = { (A3 | 83) 81 90 (B4 | 94) 96 8B 87 (A5 | 85) 80 80 96 81 97 97 } $a228 = { (A2 | 82) 80 91 (B5 | 95) 97 8A 86 (A4 | 84) 81 81 97 80 96 96 } $a229 = { (A1 | 81) 83 92 (B6 | 96) 94 89 85 (A7 | 87) 82 82 94 83 95 95 } $a230 = { (A0 | 80) 82 93 (B7 | 97) 95 88 84 (A6 | 86) 83 83 95 82 94 94 } $a231 = { (AF | 8F) 8D 9C (B8 | 98) 9A 87 8B (A9 | 89) 8C 8C 9A 8D 9B 9B } $a232 = { (AE | 8E) 8C 9D (B9 | 99) 9B 86 8A (A8 | 88) 8D 8D 9B 8C 9A 9A } $a233 = { (AD | 8D) 8F 9E (BA | 9A) 98 85 89 (AB | 8B) 8E 8E 98 8F 99 99 } $a234 = { (AC | 8C) 8E 9F (BB | 9B) 99 84 88 (AA | 8A) 8F 8F 99 8E 98 98 } $a235 = { (AB | 8B) 89 98 (BC | 9C) 9E 83 8F (AD | 8D) 88 88 9E 89 9F 9F } $a236 = { (AA | 8A) 88 99 (BD | 9D) 9F 82 8E (AC | 8C) 89 89 9F 88 9E 9E } $a237 = { (A9 | 89) 8B 9A (BE | 9E) 9C 81 8D (AF | 8F) 8A 8A 9C 8B 9D 9D } $a238 = { (A8 | 88) 8A 9B (BF | 9F) 9D 80 8C (AE | 8E) 8B 8B 9D 8A 9C 9C } $a239 = { (B7 | 97) 95 84 (A0 | 80) 82 9F 93 (B1 | 91) 94 94 82 95 83 83 } $a240 = { (B6 | 96) 94 85 (A1 | 81) 83 9E 92 (B0 | 90) 95 95 83 94 82 82 } $a241 = { (B5 | 95) 97 86 (A2 | 82) 80 9D 91 (B3 | 93) 96 96 80 97 81 81 } $a242 = { (B4 | 94) 96 87 (A3 | 83) 81 9C 90 (B2 | 92) 97 97 81 96 80 80 } $a243 = { (B3 | 93) 91 80 (A4 | 84) 86 9B 97 (B5 | 95) 90 90 86 91 87 87 } $a244 = { (B2 | 92) 90 81 (A5 | 85) 87 9A 96 (B4 | 94) 91 91 87 90 86 86 } $a245 = { (B1 | 91) 93 82 (A6 | 86) 84 99 95 (B7 | 97) 92 92 84 93 85 85 } $a246 = { (B0 | 90) 92 83 (A7 | 87) 85 98 94 (B6 | 96) 93 93 85 92 84 84 } $a247 = { (BF | 9F) 9D 8C (A8 | 88) 8A 97 9B (B9 | 99) 9C 9C 8A 9D 8B 8B } $a248 = { (BE | 9E) 9C 8D (A9 | 89) 8B 96 9A (B8 | 98) 9D 9D 8B 9C 8A 8A } $a249 = { (BD | 9D) 9F 8E (AA | 8A) 88 95 99 (BB | 9B) 9E 9E 88 9F 89 89 } $a250 = { (BC | 9C) 9E 8F (AB | 8B) 89 94 98 (BA | 9A) 9F 9F 89 9E 88 88 } $a251 = { (BB | 9B) 99 88 (AC | 8C) 8E 93 9F (BD | 9D) 98 98 8E 99 8F 8F } $a252 = { (BA | 9A) 98 89 (AD | 8D) 8F 92 9E (BC | 9C) 99 99 8F 98 8E 8E } $a253 = { (B9 | 99) 9B 8A (AE | 8E) 8C 91 9D (BF | 9F) 9A 9A 8C 9B 8D 8D } $a254 = { (4D | 6D) 6E 60 65 (4D | 6D) 68 63 73 60 73 78 } // "LoadLibrary" XOR 0x01 $a255 = { (4E | 6E) 6D 63 66 (4E | 6E) 6B 60 70 63 70 7B } // "LoadLibrary" XOR 0x02 $a256 = { (4F | 6F) 6C 62 67 (4F | 6F) 6A 61 71 62 71 7A } // etc... $a257 = { (48 | 68) 6B 65 60 (48 | 68) 6D 66 76 65 76 7D } $a258 = { (49 | 69) 6A 64 61 (49 | 69) 6C 67 77 64 77 7C } $a259 = { (4A | 6A) 69 67 62 (4A | 6A) 6F 64 74 67 74 7F } $a260 = { (4B | 6B) 68 66 63 (4B | 6B) 6E 65 75 66 75 7E } $a261 = { (44 | 64) 67 69 6C (44 | 64) 61 6A 7A 69 7A 71 } $a262 = { (45 | 65) 66 68 6D (45 | 65) 60 6B 7B 68 7B 70 } $a263 = { (46 | 66) 65 6B 6E (46 | 66) 63 68 78 6B 78 73 } $a264 = { (47 | 67) 64 6A 6F (47 | 67) 62 69 79 6A 79 72 } $a265 = { (40 | 60) 63 6D 68 (40 | 60) 65 6E 7E 6D 7E 75 } $a266 = { (41 | 61) 62 6C 69 (41 | 61) 64 6F 7F 6C 7F 74 } $a267 = { (42 | 62) 61 6F 6A (42 | 62) 67 6C 7C 6F 7C 77 } $a268 = { (43 | 63) 60 6E 6B (43 | 63) 66 6D 7D 6E 7D 76 } $a269 = { (5C | 7C) 7F 71 74 (5C | 7C) 79 72 62 71 62 69 } $a270 = { (5D | 7D) 7E 70 75 (5D | 7D) 78 73 63 70 63 68 } $a271 = { (5E | 7E) 7D 73 76 (5E | 7E) 7B 70 60 73 60 6B } $a272 = { (5F | 7F) 7C 72 77 (5F | 7F) 7A 71 61 72 61 6A } $a273 = { (58 | 78) 7B 75 70 (58 | 78) 7D 76 66 75 66 6D } $a274 = { (59 | 79) 7A 74 71 (59 | 79) 7C 77 67 74 67 6C } $a275 = { (5A | 7A) 79 77 72 (5A | 7A) 7F 74 64 77 64 6F } $a276 = { (5B | 7B) 78 76 73 (5B | 7B) 7E 75 65 76 65 6E } $a277 = { (54 | 74) 77 79 7C (54 | 74) 71 7A 6A 79 6A 61 } $a278 = { (55 | 75) 76 78 7D (55 | 75) 70 7B 6B 78 6B 60 } $a279 = { (56 | 76) 75 7B 7E (56 | 76) 73 78 68 7B 68 63 } $a280 = { (57 | 77) 74 7A 7F (57 | 77) 72 79 69 7A 69 62 } $a281 = { (50 | 70) 73 7D 78 (50 | 70) 75 7E 6E 7D 6E 65 } $a282 = { (51 | 71) 72 7C 79 (51 | 71) 74 7F 6F 7C 6F 64 } $a283 = { (52 | 72) 71 7F 7A (52 | 72) 77 7C 6C 7F 6C 67 } $a284 = { (53 | 73) 70 7E 7B (53 | 73) 76 7D 6D 7E 6D 66 } // XOR 0x20 removed because it toggles capitalization and causes [lL]OAD[Ll]IBRARY to match. $a286 = { (6D | 4D) 4E 40 45 (6D | 4D) 48 43 53 40 53 58 } $a287 = { (6E | 4E) 4D 43 46 (6E | 4E) 4B 40 50 43 50 5B } $a288 = { (6F | 4F) 4C 42 47 (6F | 4F) 4A 41 51 42 51 5A } $a289 = { (68 | 48) 4B 45 40 (68 | 48) 4D 46 56 45 56 5D } $a290 = { (69 | 49) 4A 44 41 (69 | 49) 4C 47 57 44 57 5C } $a291 = { (6A | 4A) 49 47 42 (6A | 4A) 4F 44 54 47 54 5F } $a292 = { (6B | 4B) 48 46 43 (6B | 4B) 4E 45 55 46 55 5E } $a293 = { (64 | 44) 47 49 4C (64 | 44) 41 4A 5A 49 5A 51 } $a294 = { (65 | 45) 46 48 4D (65 | 45) 40 4B 5B 48 5B 50 } $a295 = { (66 | 46) 45 4B 4E (66 | 46) 43 48 58 4B 58 53 } $a296 = { (67 | 47) 44 4A 4F (67 | 47) 42 49 59 4A 59 52 } $a297 = { (60 | 40) 43 4D 48 (60 | 40) 45 4E 5E 4D 5E 55 } $a298 = { (61 | 41) 42 4C 49 (61 | 41) 44 4F 5F 4C 5F 54 } $a299 = { (62 | 42) 41 4F 4A (62 | 42) 47 4C 5C 4F 5C 57 } $a300 = { (63 | 43) 40 4E 4B (63 | 43) 46 4D 5D 4E 5D 56 } $a301 = { (7C | 5C) 5F 51 54 (7C | 5C) 59 52 42 51 42 49 } $a302 = { (7D | 5D) 5E 50 55 (7D | 5D) 58 53 43 50 43 48 } $a303 = { (7E | 5E) 5D 53 56 (7E | 5E) 5B 50 40 53 40 4B } $a304 = { (7F | 5F) 5C 52 57 (7F | 5F) 5A 51 41 52 41 4A } $a305 = { (78 | 58) 5B 55 50 (78 | 58) 5D 56 46 55 46 4D } $a306 = { (79 | 59) 5A 54 51 (79 | 59) 5C 57 47 54 47 4C } $a307 = { (7A | 5A) 59 57 52 (7A | 5A) 5F 54 44 57 44 4F } $a308 = { (7B | 5B) 58 56 53 (7B | 5B) 5E 55 45 56 45 4E } $a309 = { (74 | 54) 57 59 5C (74 | 54) 51 5A 4A 59 4A 41 } $a310 = { (75 | 55) 56 58 5D (75 | 55) 50 5B 4B 58 4B 40 } $a311 = { (76 | 56) 55 5B 5E (76 | 56) 53 58 48 5B 48 43 } $a312 = { (77 | 57) 54 5A 5F (77 | 57) 52 59 49 5A 49 42 } $a313 = { (70 | 50) 53 5D 58 (70 | 50) 55 5E 4E 5D 4E 45 } $a314 = { (71 | 51) 52 5C 59 (71 | 51) 54 5F 4F 5C 4F 44 } $a315 = { (72 | 52) 51 5F 5A (72 | 52) 57 5C 4C 5F 4C 47 } $a316 = { (73 | 53) 50 5E 5B (73 | 53) 56 5D 4D 5E 4D 46 } $a317 = { (0C | 2C) 2F 21 24 (0C | 2C) 29 22 32 21 32 39 } $a318 = { (0D | 2D) 2E 20 25 (0D | 2D) 28 23 33 20 33 38 } $a319 = { (0E | 2E) 2D 23 26 (0E | 2E) 2B 20 30 23 30 3B } $a320 = { (0F | 2F) 2C 22 27 (0F | 2F) 2A 21 31 22 31 3A } $a321 = { (08 | 28) 2B 25 20 (08 | 28) 2D 26 36 25 36 3D } $a322 = { (09 | 29) 2A 24 21 (09 | 29) 2C 27 37 24 37 3C } $a323 = { (0A | 2A) 29 27 22 (0A | 2A) 2F 24 34 27 34 3F } $a324 = { (0B | 2B) 28 26 23 (0B | 2B) 2E 25 35 26 35 3E } $a325 = { (04 | 24) 27 29 2C (04 | 24) 21 2A 3A 29 3A 31 } $a326 = { (05 | 25) 26 28 2D (05 | 25) 20 2B 3B 28 3B 30 } $a327 = { (06 | 26) 25 2B 2E (06 | 26) 23 28 38 2B 38 33 } $a328 = { (07 | 27) 24 2A 2F (07 | 27) 22 29 39 2A 39 32 } $a329 = { (00 | 20) 23 2D 28 (00 | 20) 25 2E 3E 2D 3E 35 } $a330 = { (01 | 21) 22 2C 29 (01 | 21) 24 2F 3F 2C 3F 34 } $a331 = { (02 | 22) 21 2F 2A (02 | 22) 27 2C 3C 2F 3C 37 } $a332 = { (03 | 23) 20 2E 2B (03 | 23) 26 2D 3D 2E 3D 36 } $a333 = { (1C | 3C) 3F 31 34 (1C | 3C) 39 32 22 31 22 29 } $a334 = { (1D | 3D) 3E 30 35 (1D | 3D) 38 33 23 30 23 28 } $a335 = { (1E | 3E) 3D 33 36 (1E | 3E) 3B 30 20 33 20 2B } $a336 = { (1F | 3F) 3C 32 37 (1F | 3F) 3A 31 21 32 21 2A } $a337 = { (18 | 38) 3B 35 30 (18 | 38) 3D 36 26 35 26 2D } $a338 = { (19 | 39) 3A 34 31 (19 | 39) 3C 37 27 34 27 2C } $a339 = { (1A | 3A) 39 37 32 (1A | 3A) 3F 34 24 37 24 2F } $a340 = { (1B | 3B) 38 36 33 (1B | 3B) 3E 35 25 36 25 2E } $a341 = { (14 | 34) 37 39 3C (14 | 34) 31 3A 2A 39 2A 21 } $a342 = { (15 | 35) 36 38 3D (15 | 35) 30 3B 2B 38 2B 20 } $a343 = { (16 | 36) 35 3B 3E (16 | 36) 33 38 28 3B 28 23 } $a344 = { (17 | 37) 34 3A 3F (17 | 37) 32 39 29 3A 29 22 } $a345 = { (10 | 30) 33 3D 38 (10 | 30) 35 3E 2E 3D 2E 25 } $a346 = { (11 | 31) 32 3C 39 (11 | 31) 34 3F 2F 3C 2F 24 } $a347 = { (12 | 32) 31 3F 3A (12 | 32) 37 3C 2C 3F 2C 27 } $a348 = { (13 | 33) 30 3E 3B (13 | 33) 36 3D 2D 3E 2D 26 } $a349 = { (2C | 0C) 0F 01 04 (2C | 0C) 09 02 12 01 12 19 } $a350 = { (2D | 0D) 0E 00 05 (2D | 0D) 08 03 13 00 13 18 } $a351 = { (2E | 0E) 0D 03 06 (2E | 0E) 0B 00 10 03 10 1B } $a352 = { (2F | 0F) 0C 02 07 (2F | 0F) 0A 01 11 02 11 1A } $a353 = { (28 | 08) 0B 05 00 (28 | 08) 0D 06 16 05 16 1D } $a354 = { (29 | 09) 0A 04 01 (29 | 09) 0C 07 17 04 17 1C } $a355 = { (2A | 0A) 09 07 02 (2A | 0A) 0F 04 14 07 14 1F } $a356 = { (2B | 0B) 08 06 03 (2B | 0B) 0E 05 15 06 15 1E } $a357 = { (24 | 04) 07 09 0C (24 | 04) 01 0A 1A 09 1A 11 } $a358 = { (25 | 05) 06 08 0D (25 | 05) 00 0B 1B 08 1B 10 } $a359 = { (26 | 06) 05 0B 0E (26 | 06) 03 08 18 0B 18 13 } $a360 = { (27 | 07) 04 0A 0F (27 | 07) 02 09 19 0A 19 12 } $a361 = { (20 | 00) 03 0D 08 (20 | 00) 05 0E 1E 0D 1E 15 } $a362 = { (21 | 01) 02 0C 09 (21 | 01) 04 0F 1F 0C 1F 14 } $a363 = { (22 | 02) 01 0F 0A (22 | 02) 07 0C 1C 0F 1C 17 } $a364 = { (23 | 03) 00 0E 0B (23 | 03) 06 0D 1D 0E 1D 16 } $a365 = { (3C | 1C) 1F 11 14 (3C | 1C) 19 12 02 11 02 09 } $a366 = { (3D | 1D) 1E 10 15 (3D | 1D) 18 13 03 10 03 08 } $a367 = { (3E | 1E) 1D 13 16 (3E | 1E) 1B 10 00 13 00 0B } $a368 = { (3F | 1F) 1C 12 17 (3F | 1F) 1A 11 01 12 01 0A } $a369 = { (38 | 18) 1B 15 10 (38 | 18) 1D 16 06 15 06 0D } $a370 = { (39 | 19) 1A 14 11 (39 | 19) 1C 17 07 14 07 0C } $a371 = { (3A | 1A) 19 17 12 (3A | 1A) 1F 14 04 17 04 0F } $a372 = { (3B | 1B) 18 16 13 (3B | 1B) 1E 15 05 16 05 0E } $a373 = { (34 | 14) 17 19 1C (34 | 14) 11 1A 0A 19 0A 01 } $a374 = { (35 | 15) 16 18 1D (35 | 15) 10 1B 0B 18 0B 00 } $a375 = { (36 | 16) 15 1B 1E (36 | 16) 13 18 08 1B 08 03 } $a376 = { (37 | 17) 14 1A 1F (37 | 17) 12 19 09 1A 09 02 } $a377 = { (30 | 10) 13 1D 18 (30 | 10) 15 1E 0E 1D 0E 05 } $a378 = { (31 | 11) 12 1C 19 (31 | 11) 14 1F 0F 1C 0F 04 } $a379 = { (32 | 12) 11 1F 1A (32 | 12) 17 1C 0C 1F 0C 07 } $a380 = { (33 | 13) 10 1E 1B (33 | 13) 16 1D 0D 1E 0D 06 } $a381 = { (CC | EC) EF E1 E4 (CC | EC) E9 E2 F2 E1 F2 F9 } $a382 = { (CD | ED) EE E0 E5 (CD | ED) E8 E3 F3 E0 F3 F8 } $a383 = { (CE | EE) ED E3 E6 (CE | EE) EB E0 F0 E3 F0 FB } $a384 = { (CF | EF) EC E2 E7 (CF | EF) EA E1 F1 E2 F1 FA } $a385 = { (C8 | E8) EB E5 E0 (C8 | E8) ED E6 F6 E5 F6 FD } $a386 = { (C9 | E9) EA E4 E1 (C9 | E9) EC E7 F7 E4 F7 FC } $a387 = { (CA | EA) E9 E7 E2 (CA | EA) EF E4 F4 E7 F4 FF } $a388 = { (CB | EB) E8 E6 E3 (CB | EB) EE E5 F5 E6 F5 FE } $a389 = { (C4 | E4) E7 E9 EC (C4 | E4) E1 EA FA E9 FA F1 } $a390 = { (C5 | E5) E6 E8 ED (C5 | E5) E0 EB FB E8 FB F0 } $a391 = { (C6 | E6) E5 EB EE (C6 | E6) E3 E8 F8 EB F8 F3 } $a392 = { (C7 | E7) E4 EA EF (C7 | E7) E2 E9 F9 EA F9 F2 } $a393 = { (C0 | E0) E3 ED E8 (C0 | E0) E5 EE FE ED FE F5 } $a394 = { (C1 | E1) E2 EC E9 (C1 | E1) E4 EF FF EC FF F4 } $a395 = { (C2 | E2) E1 EF EA (C2 | E2) E7 EC FC EF FC F7 } $a396 = { (C3 | E3) E0 EE EB (C3 | E3) E6 ED FD EE FD F6 } $a397 = { (DC | FC) FF F1 F4 (DC | FC) F9 F2 E2 F1 E2 E9 } $a398 = { (DD | FD) FE F0 F5 (DD | FD) F8 F3 E3 F0 E3 E8 } $a399 = { (DE | FE) FD F3 F6 (DE | FE) FB F0 E0 F3 E0 EB } $a400 = { (DF | FF) FC F2 F7 (DF | FF) FA F1 E1 F2 E1 EA } $a401 = { (D8 | F8) FB F5 F0 (D8 | F8) FD F6 E6 F5 E6 ED } $a402 = { (D9 | F9) FA F4 F1 (D9 | F9) FC F7 E7 F4 E7 EC } $a403 = { (DA | FA) F9 F7 F2 (DA | FA) FF F4 E4 F7 E4 EF } $a404 = { (DB | FB) F8 F6 F3 (DB | FB) FE F5 E5 F6 E5 EE } $a405 = { (D4 | F4) F7 F9 FC (D4 | F4) F1 FA EA F9 EA E1 } $a406 = { (D5 | F5) F6 F8 FD (D5 | F5) F0 FB EB F8 EB E0 } $a407 = { (D6 | F6) F5 FB FE (D6 | F6) F3 F8 E8 FB E8 E3 } $a408 = { (D7 | F7) F4 FA FF (D7 | F7) F2 F9 E9 FA E9 E2 } $a409 = { (D0 | F0) F3 FD F8 (D0 | F0) F5 FE EE FD EE E5 } $a410 = { (D1 | F1) F2 FC F9 (D1 | F1) F4 FF EF FC EF E4 } $a411 = { (D2 | F2) F1 FF FA (D2 | F2) F7 FC EC FF EC E7 } $a412 = { (D3 | F3) F0 FE FB (D3 | F3) F6 FD ED FE ED E6 } $a413 = { (EC | CC) CF C1 C4 (EC | CC) C9 C2 D2 C1 D2 D9 } $a414 = { (ED | CD) CE C0 C5 (ED | CD) C8 C3 D3 C0 D3 D8 } $a415 = { (EE | CE) CD C3 C6 (EE | CE) CB C0 D0 C3 D0 DB } $a416 = { (EF | CF) CC C2 C7 (EF | CF) CA C1 D1 C2 D1 DA } $a417 = { (E8 | C8) CB C5 C0 (E8 | C8) CD C6 D6 C5 D6 DD } $a418 = { (E9 | C9) CA C4 C1 (E9 | C9) CC C7 D7 C4 D7 DC } $a419 = { (EA | CA) C9 C7 C2 (EA | CA) CF C4 D4 C7 D4 DF } $a420 = { (EB | CB) C8 C6 C3 (EB | CB) CE C5 D5 C6 D5 DE } $a421 = { (E4 | C4) C7 C9 CC (E4 | C4) C1 CA DA C9 DA D1 } $a422 = { (E5 | C5) C6 C8 CD (E5 | C5) C0 CB DB C8 DB D0 } $a423 = { (E6 | C6) C5 CB CE (E6 | C6) C3 C8 D8 CB D8 D3 } $a424 = { (E7 | C7) C4 CA CF (E7 | C7) C2 C9 D9 CA D9 D2 } $a425 = { (E0 | C0) C3 CD C8 (E0 | C0) C5 CE DE CD DE D5 } $a426 = { (E1 | C1) C2 CC C9 (E1 | C1) C4 CF DF CC DF D4 } $a427 = { (E2 | C2) C1 CF CA (E2 | C2) C7 CC DC CF DC D7 } $a428 = { (E3 | C3) C0 CE CB (E3 | C3) C6 CD DD CE DD D6 } $a429 = { (FC | DC) DF D1 D4 (FC | DC) D9 D2 C2 D1 C2 C9 } $a430 = { (FD | DD) DE D0 D5 (FD | DD) D8 D3 C3 D0 C3 C8 } $a431 = { (FE | DE) DD D3 D6 (FE | DE) DB D0 C0 D3 C0 CB } $a432 = { (FF | DF) DC D2 D7 (FF | DF) DA D1 C1 D2 C1 CA } $a433 = { (F8 | D8) DB D5 D0 (F8 | D8) DD D6 C6 D5 C6 CD } $a434 = { (F9 | D9) DA D4 D1 (F9 | D9) DC D7 C7 D4 C7 CC } $a435 = { (FA | DA) D9 D7 D2 (FA | DA) DF D4 C4 D7 C4 CF } $a436 = { (FB | DB) D8 D6 D3 (FB | DB) DE D5 C5 D6 C5 CE } $a437 = { (F4 | D4) D7 D9 DC (F4 | D4) D1 DA CA D9 CA C1 } $a438 = { (F5 | D5) D6 D8 DD (F5 | D5) D0 DB CB D8 CB C0 } $a439 = { (F6 | D6) D5 DB DE (F6 | D6) D3 D8 C8 DB C8 C3 } $a440 = { (F7 | D7) D4 DA DF (F7 | D7) D2 D9 C9 DA C9 C2 } $a441 = { (F0 | D0) D3 DD D8 (F0 | D0) D5 DE CE DD CE C5 } $a442 = { (F1 | D1) D2 DC D9 (F1 | D1) D4 DF CF DC CF C4 } $a443 = { (F2 | D2) D1 DF DA (F2 | D2) D7 DC CC DF CC C7 } $a444 = { (F3 | D3) D0 DE DB (F3 | D3) D6 DD CD DE CD C6 } $a445 = { (8C | AC) AF A1 A4 (8C | AC) A9 A2 B2 A1 B2 B9 } $a446 = { (8D | AD) AE A0 A5 (8D | AD) A8 A3 B3 A0 B3 B8 } $a447 = { (8E | AE) AD A3 A6 (8E | AE) AB A0 B0 A3 B0 BB } $a448 = { (8F | AF) AC A2 A7 (8F | AF) AA A1 B1 A2 B1 BA } $a449 = { (88 | A8) AB A5 A0 (88 | A8) AD A6 B6 A5 B6 BD } $a450 = { (89 | A9) AA A4 A1 (89 | A9) AC A7 B7 A4 B7 BC } $a451 = { (8A | AA) A9 A7 A2 (8A | AA) AF A4 B4 A7 B4 BF } $a452 = { (8B | AB) A8 A6 A3 (8B | AB) AE A5 B5 A6 B5 BE } $a453 = { (84 | A4) A7 A9 AC (84 | A4) A1 AA BA A9 BA B1 } $a454 = { (85 | A5) A6 A8 AD (85 | A5) A0 AB BB A8 BB B0 } $a455 = { (86 | A6) A5 AB AE (86 | A6) A3 A8 B8 AB B8 B3 } $a456 = { (87 | A7) A4 AA AF (87 | A7) A2 A9 B9 AA B9 B2 } $a457 = { (80 | A0) A3 AD A8 (80 | A0) A5 AE BE AD BE B5 } $a458 = { (81 | A1) A2 AC A9 (81 | A1) A4 AF BF AC BF B4 } $a459 = { (82 | A2) A1 AF AA (82 | A2) A7 AC BC AF BC B7 } $a460 = { (83 | A3) A0 AE AB (83 | A3) A6 AD BD AE BD B6 } $a461 = { (9C | BC) BF B1 B4 (9C | BC) B9 B2 A2 B1 A2 A9 } $a462 = { (9D | BD) BE B0 B5 (9D | BD) B8 B3 A3 B0 A3 A8 } $a463 = { (9E | BE) BD B3 B6 (9E | BE) BB B0 A0 B3 A0 AB } $a464 = { (9F | BF) BC B2 B7 (9F | BF) BA B1 A1 B2 A1 AA } $a465 = { (98 | B8) BB B5 B0 (98 | B8) BD B6 A6 B5 A6 AD } $a466 = { (99 | B9) BA B4 B1 (99 | B9) BC B7 A7 B4 A7 AC } $a467 = { (9A | BA) B9 B7 B2 (9A | BA) BF B4 A4 B7 A4 AF } $a468 = { (9B | BB) B8 B6 B3 (9B | BB) BE B5 A5 B6 A5 AE } $a469 = { (94 | B4) B7 B9 BC (94 | B4) B1 BA AA B9 AA A1 } $a470 = { (95 | B5) B6 B8 BD (95 | B5) B0 BB AB B8 AB A0 } $a471 = { (96 | B6) B5 BB BE (96 | B6) B3 B8 A8 BB A8 A3 } $a472 = { (97 | B7) B4 BA BF (97 | B7) B2 B9 A9 BA A9 A2 } $a473 = { (90 | B0) B3 BD B8 (90 | B0) B5 BE AE BD AE A5 } $a474 = { (91 | B1) B2 BC B9 (91 | B1) B4 BF AF BC AF A4 } $a475 = { (92 | B2) B1 BF BA (92 | B2) B7 BC AC BF AC A7 } $a476 = { (93 | B3) B0 BE BB (93 | B3) B6 BD AD BE AD A6 } $a477 = { (AC | 8C) 8F 81 84 (AC | 8C) 89 82 92 81 92 99 } $a478 = { (AD | 8D) 8E 80 85 (AD | 8D) 88 83 93 80 93 98 } $a479 = { (AE | 8E) 8D 83 86 (AE | 8E) 8B 80 90 83 90 9B } $a480 = { (AF | 8F) 8C 82 87 (AF | 8F) 8A 81 91 82 91 9A } $a481 = { (A8 | 88) 8B 85 80 (A8 | 88) 8D 86 96 85 96 9D } $a482 = { (A9 | 89) 8A 84 81 (A9 | 89) 8C 87 97 84 97 9C } $a483 = { (AA | 8A) 89 87 82 (AA | 8A) 8F 84 94 87 94 9F } $a484 = { (AB | 8B) 88 86 83 (AB | 8B) 8E 85 95 86 95 9E } $a485 = { (A4 | 84) 87 89 8C (A4 | 84) 81 8A 9A 89 9A 91 } $a486 = { (A5 | 85) 86 88 8D (A5 | 85) 80 8B 9B 88 9B 90 } $a487 = { (A6 | 86) 85 8B 8E (A6 | 86) 83 88 98 8B 98 93 } $a488 = { (A7 | 87) 84 8A 8F (A7 | 87) 82 89 99 8A 99 92 } $a489 = { (A0 | 80) 83 8D 88 (A0 | 80) 85 8E 9E 8D 9E 95 } $a490 = { (A1 | 81) 82 8C 89 (A1 | 81) 84 8F 9F 8C 9F 94 } $a491 = { (A2 | 82) 81 8F 8A (A2 | 82) 87 8C 9C 8F 9C 97 } $a492 = { (A3 | 83) 80 8E 8B (A3 | 83) 86 8D 9D 8E 9D 96 } $a493 = { (BC | 9C) 9F 91 94 (BC | 9C) 99 92 82 91 82 89 } $a494 = { (BD | 9D) 9E 90 95 (BD | 9D) 98 93 83 90 83 88 } $a495 = { (BE | 9E) 9D 93 96 (BE | 9E) 9B 90 80 93 80 8B } $a496 = { (BF | 9F) 9C 92 97 (BF | 9F) 9A 91 81 92 81 8A } $a497 = { (B8 | 98) 9B 95 90 (B8 | 98) 9D 96 86 95 86 8D } $a498 = { (B9 | 99) 9A 94 91 (B9 | 99) 9C 97 87 94 87 8C } $a499 = { (BA | 9A) 99 97 92 (BA | 9A) 9F 94 84 97 84 8F } $a500 = { (BB | 9B) 98 96 93 (BB | 9B) 9E 95 85 96 85 8E } $a501 = { (B4 | 94) 97 99 9C (B4 | 94) 91 9A 8A 99 8A 81 } $a502 = { (B5 | 95) 96 98 9D (B5 | 95) 90 9B 8B 98 8B 80 } $a503 = { (B6 | 96) 95 9B 9E (B6 | 96) 93 98 88 9B 88 83 } $a504 = { (B7 | 97) 94 9A 9F (B7 | 97) 92 99 89 9A 89 82 } $a505 = { (B0 | 90) 93 9D 98 (B0 | 90) 95 9E 8E 9D 8E 85 } $a506 = { (B1 | 91) 92 9C 99 (B1 | 91) 94 9F 8F 9C 8F 84 } $a507 = { (B2 | 92) 91 9F 9A (B2 | 92) 97 9C 8C 9F 8C 87 } condition: any of them } rule Base64d_PE { meta: description = "Contains a base64-encoded executable" author = "Florian Roth" date = "2017-04-21" strings: $s0 = "TVqQAAIAAAAEAA8A//8AALgAAAA" wide ascii $s1 = "TVqQAAMAAAAEAAAA//8AALgAAAA" wide ascii condition: any of them } rule Misc_Suspicious_Strings { meta: description = "Miscellaneous malware strings" author = "Ivan Kwiatkowski (@JusticeRage)" strings: $a0 = "backdoor" nocase ascii wide $a1 = "virus" nocase ascii wide fullword $a2 = "hack" nocase ascii wide fullword $a3 = "exploit" nocase ascii wide $a4 = "cmd.exe" nocase ascii wide $a5 = "CWSandbox" nocase wide ascii // Found in some Zeus/Citadel samples $a6 = "System32\\drivers\\etc\\hosts" nocase wide ascii condition: any of them } rule BITS_CLSID { meta: description = "References the BITS service." author = "Ivan Kwiatkowski (@JusticeRage)" // The BITS service seems to be used heavily by EquationGroup. strings: $uuid_background_copy_manager_1_5 = { 1F 77 87 F0 4F D7 1A 4C BB 8A E1 6A CA 91 24 EA } $uuid_background_copy_manager_2_0 = { 12 AD 18 6D E3 BD 93 43 B3 11 09 9C 34 6E 6D F9 } $uuid_background_copy_manager_2_5 = { D6 98 CA 03 5D FF B8 49 AB C6 03 DD 84 12 70 20 } $uuid_background_copy_manager_3_0 = { A7 DE 9C 65 9E 48 D9 11 A9 CD 00 0D 56 96 52 51 } $uuid_background_copy_manager_4_0 = { 6B F5 6D BB CE CA DC 11 99 92 00 19 B9 3A 3A 84 } $uuid_background_copy_manager_5_0 = { 4C A3 CC 1E 8A E8 E3 44 8D 6A 89 21 BD E9 E4 52 } $uuid_background_copy_manager = { 4B D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97 } $uuid_ibackground_copy_manager = { 0D 4C E3 5C C9 0D 1F 4C 89 7C DA A1 B7 8C EE 7C } $uuid_background_copy_qmanager = { 69 AD 4A EE 51 BE 43 9B A9 2C 86 AE 49 0E 8B 30 } $uuid_ibits_peer_cache_administration = { AD DE 9C 65 9E 48 D9 11 A9 CD 00 0D 56 96 52 51 } $uuid_background_copy_callback = { C7 99 EA 97 86 01 D4 4A 8D F9 C5 B4 E0 ED 6B 22 } condition: any of them }